Progamatically review local users, find default (built in) administrator, change the username, then change the password

Posted on 2003-03-07
Medium Priority
Last Modified: 2013-12-04
Regarding administrator accounts on local machines that are part of a mixed NT/2000 domain.

Currenty I am pushing an VB program using SMS that simply uses cusrmgr to rename the local administrator then changes the password.  I have some concerns though.

1)  I am cannot verify that "Administrator" is the built in administrator - i.e. someone renames it.
2)  There is no error checking, I have no idea if I am successfull or not.
3)  Some instances of renameing are occuring, but the password remains the older password.

I would like to do the following:

1)  List all users in the "Local Administrators" group for each client computer
2)  Find the built in admin (read that it can be id with sid ending in 500, but this is not always true)
3)  Change the username of the built in administrator
4)  Change the password of the built in administrator
5)  Handle/report errors
6)  Write a file of all users in "Local Administrators" group.

Any help would be appriciated.
Question by:davidstickelman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Expert Comment

ID: 8090807
I can't solve Your question about the builtin administrator, but how about to make a note about the administrators SID, just after installing Your workstations. I only know about SID 500 for LocalAdministrator.

But I have written a freeware-tool, that reports Your number 1, 5 and 6 questions.

You, (and everybody else) can download it from:


I hope this will help You.

Many Regards
Jorgen Malmgren


Expert Comment

ID: 8093870
Administrators (IE: a USER not a group like domain admins or ADMINISTRATORS) always have the "500".


Expert Comment

ID: 8093874
This MSKB article may help:

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

LVL 85

Accepted Solution

oBdA earned 750 total points
ID: 8095703
Hi David,

try the script below; but as usual: use it at your own risk, test it thoroughly before applying it etc. The script only uses MS standard tools, so it should be safe, but, hey, we're talking computers here.

You're already using cusrmgr, so you should have the resource kit; the script needs addusers.exe, getsid.exe, and cusrmgr.exe and should run on NT4, W2k and XP (I tested it in a workgroup on W2k against an NT4 test client). It relies on the builtin system administrator account RID of 500, but this should always be the case, as this administrator account can not be deleted and not be removed from the local administrators group. (If the built in account can not be determined that way, the script does no changes to the system.)
It takes either a remote machine name as a single argument, or "/L" as the first argument and a file with a list of computer names (one name per line) as the second argument, so you can process a bunch of machines at once.
It will print the results on the screen and create a ";"-separated logfile as well that you can import into Excel or whatever. (Careful when running the script twice: it will make no backup of the former log file, it will just overwrite it without warning!) The log file lists the machine name, the local administrator accounts and their SIDs, the builtin administrator account, other members of the local administrator group (well, it should list them, but I have no domain at hand right now for really testing this ...), and the return codes of the "rename" and the "change password" process. The administrator lists are ","-separated.
For testing purposes, you can create a new administrator account on a test client, run the script in test mode to find out about the SID, and then change the RID in the script to the one of the test account, so that you only manipulate this (that's how I tested it); note that (as an additional precaution) the RID is set to "xxx" instead of "500" in the script at the moment, so it will never find an account to change.
Please note, too, that the script is in test mode right now; set "Test" to an empty string to actually do the changes; while it is in test mode, it will do everything as usual, but it will not change the name or the password.
Check out if the name of the administrator group is correct and adjust it to your localized name.
(Oh, and if you have a lot of local accounts, the script might run into a length limitation.)
If it doesn't suit your needs, it should at least give you enough inspiration for another solution. ;)

@echo off
rem *** renbiadmin.cmd
rem *** Renames the built in administrator account of the specified machine and changes the password.
rem *** Necessary external tools: addusers.exe, getsid.exe, cusrmgr.exe
rem *** New name of the builtin administrator account:
set NewAdmin=LocalAdmin
rem *** New password of the builtin administrator account:
set NewPassword=Secret
rem *** Test mode:
rem *** "set Test=echo" (without quotation marks) for testing purposes,
rem *** "set Test=" (without quotation marks) to get serious
rem *** in test mode, it will do everything as usual, but it will neither
rem *** rename the account(s) found nor change the password.
set Test=echo
rem *** Builtin System Administrator RID (Default: 500):
set BIAdminRID=xxx
rem *** The name of the Local Administrators Group:
set AdminGroup=Administrators
rem *** Delimiter for addusers; this character may NOT appear in the description of the Local Administrators Group!
set Delim=~
rem *** path and name of the log file:
set LogFile=renbiadmin.log
rem *** some temp file, gets deleted afterwards
set TempFile=%Temp%\renbiadmin.tmp

if %1.==. goto leave
(echo Machine Name;Local Admins;Builtin Admin;Other Admins;Return Code "Rename";Return Code "New Password")>"%LogFile%"
echo ======================================================================
if /i not %1.==/L. goto process
if %2.==. goto leave
for /f %%a in (%2) do call :process %%a
goto leave

set Machine=%1
set LocalAdmins=
set BuiltinAdmin=
set OtherAdmins=
rem *** Get the target machine's local accounts:
addusers /d "%TempFile%" /s:%Delim% \\%Machine% >NUL
rem *** Filter the Local Administrators Group:
for /f "tokens=1,2* delims=%Delim%" %%a in (%TempFile%) do if "%%a"=="%AdminGroup%" set TempAdmins=%%c
del %TempFile%
rem *** Check the local administrators for the built in account:
for /f "tokens=1* delims=%Delim%" %%a in ("%TempAdmins%") do (
  set CheckAdmin=%%a
  set TempAdmins=%%b
  call :FindBuiltIn
if not "%TempAdmins%"=="" goto CheckAdmins

rem *** Check if the builtin account was found:
if "%BuiltinAdmin%"=="" (
  set BuiltinAdmin=[Undetermined]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  goto log

rem *** Check if the builtin account already has the correct name:
if /i "%BuiltinAdmin%"=="%NewAdmin%" (
  set RCRename=[skipped: name ok]
  goto ChangePass
rem *** Rename the builtin account and save the return code:
set RCRename=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %BuiltinAdmin% -m \\%Machine% -r %NewAdmin% ^| find /i "ERROR"') do set RCRename=%%a
if "%RCRename%"=="" set RCRename=0

rem *** Check if renaming was successful:
if %RCRename% GTR 0 (
  set RCNewPass=[skipped: couldn't rename]
  goto log
rem *** Change the password and save the return code:
set RCNewPass=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %NewAdmin% -m \\%Machine% -P %NewPassword% ^| find /i "ERROR"') do set RCNewPass=%%a
if "%RCNewPass%"=="" set RCNewPass=0
goto log

rem **********************************************************************
rem *** Subroutine:
rem *** Check if the account to be tested is a local one:
for /f "tokens=1,2 delims=\" %%a in ("%CheckAdmin%") do (
  set CheckDomain=%%a
  set CheckAdmin=%%b
rem *** if it's not a local one, save it and return:
if /i not %CheckDomain%==%Machine% (
  set OtherAdmins=%OtherAdmins%,%CheckDomain%\%CheckAdmin%
  goto :eof

rem *** Get the administrator's SID of the remote machine:
for /f "tokens=7 skip=2" %%a in ('getsid \\%Machine% %CheckAdmin% \\%Machine% %CheckAdmin%') do set SID=%%a
set TempSID=%SID%
rem *** Get the Relative Identifier:
for /f "tokens=1* delims=-" %%a in ("%TempSID%") do (
  set RID=%%a
  set TempSID=%%b
if not "%TempSID%"=="" goto GetRID
set LocalAdmins=%LocalAdmins%,%CheckAdmin% {%SID%}
if %RID%==%BIAdminRID% set BuiltinAdmin=%CheckAdmin%
goto :eof
rem **********************************************************************

set LocalAdmins=%LocalAdmins:~1%
if "%OtherAdmins%"=="" set OtherAdmins=,[None]
set OtherAdmins=%OtherAdmins:~1%
(echo %Machine%;%LocalAdmins%;%BuiltinAdmin%;%OtherAdmins%;%RCRename%;%RCNewPass%)>>"%LogFile%"
echo Machine:       %Machine%
echo Local Admins:  %LocalAdmins%
echo Builtin Admin: %BuiltinAdmin%
echo Other Admins:  %OtherAdmins%
echo RC Rename:     %RCRename%
echo RC Password:   %RCNewPass%
echo ======================================================================

LVL 85

Expert Comment

ID: 8097418
Forgot something; merge this into the part after ":process" to make sure the remote machine is running:

set Machine=%1
set BuiltinAdmin=
set LocalAdmins=
set OtherAdmins=
rem *** check if remote machine is alive:
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 (
  set Machine=%Machine% [skipped]
  set BuiltinAdmin=[skipped]
  set LocalAdmins=,[skipped]
  set OtherAdmins=,[skipped]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  goto log
rem *** Get the target machine's local accounts:

Author Comment

ID: 8285098
Although I was looking for an executable that could be pushed with SMS (to ensure that it executes on all managed machines with little/no intervention), this does the job well.  Thank you.

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question