changing local machine admin passwords via server

Not sure if this is possible or not, but thought I'd ask anyhow.  I'm interested in knowing if you can change local admin passwords for workstations over the network.  It's that time again where all admin passwords need to be reset, but in the past we've always visited every local machine which is quite tedious.  All of the workstations are Win2000 or WinXP and are part of the domain.  Thanks.
LVL 1
mgrassAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

solver7Commented:
If you want to do it manually for a few machines,
open the computer management console,
under "actions" select "connect to another computer"
add the computer name then just go under
system tools
local users and computers.

  It's a simple way but not practifcal for a large user base.

0
mgrassAuthor Commented:
Yeah, doing it manual is tried and true, but I have upwards of 550 machines all-in-all that require the change.
0
oBdACommented:
This script was intended to rename the built-in administrator account and password, even if that name had been changed before to unknown value, and to produce a logfile. It should fit your needs, too; just set the "new" name of the administrator account to "Administrator" if you don't want to change the account name.
This should work on any NT4, W2k and XP.
The script creates a ";" separated logfile, and the administrator (and SID) list field it creates in the logfile is "," separated. "Other Admins" are members of the local Administrators group that are not local accounts. "RC Rename" "and RC Password" are the Return Codes of the renaming / password changing command.
As mentioned in the remarks, you need some tools from the Resource Kit.
At the moment, it's in test mode, so you should be able to run it without endangering your net (read the remarks on how to "arm" the script).
Feed it either a single machine name as parameter ("renbiadmin SomeMachine"), or, for a bunch of machines, a "/L" as first parameter and a list with computer names to be processed as second parameter ("renbiadmin /L SomeDrive:\SomePath\SomeListFile"). Start it without parameter, and it will give you a short help.
It will give you a list with failed machines as well, so that you can run only the failed machines again without having too much trouble ...

As usual: No warranties included, test it before you apply it in earnest, use this at your own risk.

====8<----[renbiadmin.cmd]----
@echo off
setlocal
:: *** renbiadmin.cmd
:: *** Renames the built in administrator account of the specified machine and changes the password
:: *** Necessary external tools (from the W2k Resource Kit): local.exe, getsid.exe, cusrmgr.exe.
:: *** New name of the builtin administrator account:
set NewAdmin=LocalAdmin
:: *** New password of the builtin administrator account:
set NewPassword=Secret
:: *** "set Test=echo" (without quotation marks) for testing purposes,
:: *** "set Test=" (without quotation marks) to get serious
:: *** in test mode, it will do everything as usual, but it will neither
:: *** rename the account nor change the password.
set Test=echo
:: *** Localization; the name of the Local Administrators Group:
set AdminGroup=Administrators
:: *** List the Administrator's SID (TRUE to enable, empty or FALSE to disable):
set EnableSID=TRUE
:: *** (path and) name of the log file:
set LogFile=%~n0.log
:: *** (path and) name of the file with failed machine names:
set FailedFile=%~n0.txt

:: *** Only change the following variables if you know what you're doing ***
:: *** Builtin System Administrator RID (Default: 500):
set BIAdminRID=500
:: *** Admin share (used to verify credentials):
set AdminShare=C$

if %1.==. goto Syntax
if exist "%FailedFile%" del "%FailedFile%"
(echo Machine Name;Local Admins;Builtin Admin;Other Admins;Return Code "Rename";Return Code "New Password")>"%LogFile%"
echo ======================================================================
if /i not %1.==/L. goto process
if %2.==. goto Syntax
set ListFile=%2
if not exist %ListFile% (
  echo Error: The list file does not exist.
  goto leave
)
for /f %%a in ('type %ListFile%') do call :process %%a
goto leave

:process
set Machine=%1
set BuiltinAdmin=
set LocalAdmins=
set OtherAdmins=
set Failed=
:: *** check if remote machine is alive:
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 (
  set Machine=%Machine% [failed: not responding]
  set BuiltinAdmin=[skipped]
  set LocalAdmins=,[skipped]
  set OtherAdmins=,[skipped]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)
:: *** check for administrative privileges on the remote machine:
net use \\%Machine%\%AdminShare% 1>NUL 2>NUL
if errorlevel 1 (
  set Machine=%Machine% [failed: access denied]
  set BuiltinAdmin=[skipped]
  set LocalAdmins=,[skipped]
  set OtherAdmins=,[skipped]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)
net use \\%Machine%\%AdminShare% /delete 1>NUL 2>NUL

:: *** Check for the local built in administrator account:
:CheckAdmins
for /f "tokens=1* delims=\" %%a in ('local %AdminGroup% \\%Machine%') do (
  set CheckDomain=%%a
  set CheckAdmin=%%b
  call :FindBuiltIn
)

:: *** Check if the builtin account was found:
if "%BuiltinAdmin%"=="" (
  set BuiltinAdmin=[Undetermined]
  set RCRename=[skipped]
  set RCNewPass=[skipped]
  set Failed=%Machine%
  goto log
)

:: *** Check if the builtin account already has the correct name:
if /i "%BuiltinAdmin%"=="%NewAdmin%" (
  set RCRename=[skipped: name ok]
  goto ChangePass
)
:: *** Rename the builtin account and save the return code:
set RCRename=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %BuiltinAdmin% -m \\%Machine% -r %NewAdmin% ^| find /i "ERROR"') do set RCRename=%%a
if "%RCRename%"=="" set RCRename=0

:ChangePass
:: *** Check if renaming was successful:
if %RCRename% GTR 0 (
  set RCNewPass=[skipped: couldn't rename]
  set Failed=%Machine%
  goto log
)
:: *** Change the password and save the return code:
set RCNewPass=
for /f "tokens=2 delims=:" %%a in ('%Test% cusrmgr -u %NewAdmin% -m \\%Machine% -P %NewPassword% ^| find /i "ERROR"') do set RCNewPass=%%a
if "%RCNewPass%"=="" set RCNewPass=0
if %RCNewPass% GTR 0 set failed=%Machine%
goto log

:: **********************************************************************
:: *** Subroutines:
:FindBuiltIn
:: *** Check if the account to be tested is a local one; if not, save it and return:
if /i not "%CheckDomain%"=="%Machine%" (
  set OtherAdmins=%OtherAdmins%,%CheckDomain%\%CheckAdmin%
  goto :eof
)

:: *** Get the administrator's SID of the remote machine:
for /f "tokens=7 skip=2" %%a in ('getsid \\%Machine% %CheckAdmin% \\%Machine% %CheckAdmin%') do set SID=%%a
set TempSID=%SID%
:GetRID
:: *** Get the Relative Identifier:
for /f "tokens=1* delims=-" %%a in ("%TempSID%") do (
  set RID=%%a
  set TempSID=%%b
)
if not "%TempSID%"=="" goto GetRID
set LocalAdmins=%LocalAdmins%,%CheckAdmin%
if /i "%EnableSID%"=="TRUE" set LocalAdmins=%LocalAdmins% {%SID%}
if %RID%==%BIAdminRID% set BuiltinAdmin=%CheckAdmin%
goto :eof

:Syntax
echo.
echo renbiadmin.cmd
echo.
echo Renames the built-in administrator account of a given machine, independently
echo of the current name of the account. Creates a ";"-separated logfile and a list
echo of machines where renaming or password change wasn't sucessful.
echo If run in test mode, no renaming/password change is done.
set TM=ON&if .%Test%.==.. set TM=OFF
echo New Admin:     %NewAdmin%
echo Logfile:       %LogFile%
echo "Failed" list: %FailedFile%
echo Test mode:     %TM%
echo.
echo Syntax:
echo renbiadmin { ^<machine^> ^| /L ^<list^> }
echo ^<machine^>: Renames the administrator account of machine.
echo /L:        Renames the administrator account of all machines in ^<list^>
echo            (one name per line).
goto leave
:: **********************************************************************

:log
set LocalAdmins=%LocalAdmins:~1%
if "%OtherAdmins%"=="" set OtherAdmins=,[None]
set OtherAdmins=%OtherAdmins:~1%
(echo %Machine%;%LocalAdmins%;%BuiltinAdmin%;%OtherAdmins%;%RCRename%;%RCNewPass%)>>"%LogFile%"
if not "%Failed%"=="" (echo %Failed%)>>"%FailedFile%"
echo Machine:       %Machine%
echo Local Admins:  %LocalAdmins%
echo Builtin Admin: %BuiltinAdmin%
echo Other Admins:  %OtherAdmins%
echo RC Rename:     %RCRename%
echo RC Password:   %RCNewPass%
echo ======================================================================

:leave

====8<----[renbiadmin.cmd]----
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

mgrassAuthor Commented:
Okay, looks a bit complex.  Is there a deployment instruction manual to go along with this?  
0
oBdACommented:
No need to deploy anything; just save it on the workstation or server you're using for your administrative work. All it needs are three tools from the Resource Kit in the path. Most of the script is "just" error handling and logging, but when you're handling 500 machines, you'll want those ...
It's in test mode, so just call it with a remote machine as argument to see what it's doing.
0
mgrassAuthor Commented:
Thanks for the assist.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.