We help IT Professionals succeed at work.

Can you cange Client Local Administrator Password via Active directory?

KellyKeeton
KellyKeeton asked
on
Medium Priority
5,453 Views
Last Modified: 2013-12-04
I am wondering if you can create a policy to change the local admin password on every client in a OU (or domain)

I am aware of the http://support.microsoft.com/default.aspx?scid=kb;EN-US;q149427 however i want to use this as a 2nd option for a logon script, or a VB script that is run on each client.
Comment
Watch Question

Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Through policy - I dont think so no Local administrators (and users) are unique to the clients and cannot exist (As a GUID object in Active Directory)

Do this instead

Change All Local Admin Passwords


Change Local Administrator Password Remotely
 

Download the utility 'cryptpwd' from :
http://www.jsiinc.com/tip0300/rh0349.htm

Now just create a textfile containing all your servernames
(e.g. serverlist.txt) and then create a batchfile with the following line :

FOR /F %%x in (serverlist.txt) do cryptpwd -m \\%%x -P newpassword

(where newpassword is the password you want to set as the
local administrator password on the servers.)

(You obviously need to have admin. rights to the servers in order
to change the password.)

This method changes the password immediately.


From http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=1373&CatID=267
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
obviously you can do the client names as well :)
Never have a domain password unencrypted in a batch-file - it could be a great security risk

Instead follow this thread, and find my 2 comments about runas and compiler
https://www.experts-exchange.com/Security/Win_Security/Q_20933972.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

Author

Commented:
@trywaredk
    point very well taken and I agree, however we have come across a situation where we are at a point that we must evaluate the risks of a password that is known vs. a quick change of them all. Combined with a simple encryption of the batch file to exe. The script woudl be running for such a short time that the risk of leaking out woudl be small.

@PeteLong
  this is more versitiale then the NET command thank you ... i am going to leave this open for a bit longer to see any mroe ideas that people might have.

Author

Commented:
i heard there is a VB script that will allow the chang of the local admin password from a remote box.

(i from my box enter client name and password to change to)

anyone have a link to this... couldnt find it in search. Then i can just create a big old program to run from my box
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
If you have the W2k Resource Kit (or, to be more specific, "cusrmgr.exe", "local.exe", and getsid.exe"), I could offer a batch script that will set the built-in (the SID will be retrieved, it will not go for the actual account name) local Administrator's password and rename the account (if requested). In addition, it will create a log file which, among other information, lists other members of the local Administrators group on each machine, which might be of interest for you--if the admin password leaked, somebody might have created additional accounts with administrative permissions.
It'll be some hours before I have access to the script, so holler if you're interested.

Commented:
KellyKeeton

The following VBScript code will change an administrator password on a remote machine. If you pad it out with the rest of the automation code it will run as local system when called by a GPO Startup script. I wrote a complete VBScript solution to this problem a while ago, but it's way to large to post the whole lot here.

Cheers

JamesDS


Sub SetNewPassword()

      Set oUser      = GetObject("WinNT://" & strHostName & "/Administrator, user")
      
      oUser.SetPassword strNewPassword
      oUser.SetInfo
      
      Call ErrorHandler()

End Sub
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
@trywaredk

Author

Commented:
@trywaredk
thanks this looks like the most controled that i will be able to use on my domain.

@PeteLong
thanks as well
:o) Glad I could help you - thank you for the points
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
:)
There is also a tool from sysinternals that can do this as well. It is a gui and can select the whole domain if you want and change all to a single password at once.

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.