Can you cange Client Local Administrator Password via Active directory?

I am wondering if you can create a policy to change the local admin password on every client in a OU (or domain)

I am aware of the http://support.microsoft.com/default.aspx?scid=kb;EN-US;q149427 however i want to use this as a 2nd option for a logon script, or a VB script that is run on each client.
KellyKeetonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Through policy - I dont think so no Local administrators (and users) are unique to the clients and cannot exist (As a GUID object in Active Directory)

Do this instead

Change All Local Admin Passwords


Change Local Administrator Password Remotely
 

Download the utility 'cryptpwd' from :
http://www.jsiinc.com/tip0300/rh0349.htm

Now just create a textfile containing all your servernames
(e.g. serverlist.txt) and then create a batchfile with the following line :

FOR /F %%x in (serverlist.txt) do cryptpwd -m \\%%x -P newpassword

(where newpassword is the password you want to set as the
local administrator password on the servers.)

(You obviously need to have admin. rights to the servers in order
to change the password.)

This method changes the password immediately.


From http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=1373&CatID=267
0
Pete LongTechnical ConsultantCommented:
obviously you can do the client names as well :)
0
trywaredkCommented:
Never have a domain password unencrypted in a batch-file - it could be a great security risk

Instead follow this thread, and find my 2 comments about runas and compiler
http://www.experts-exchange.com/Security/Win_Security/Q_20933972.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

trywaredkCommented:
0
KellyKeetonAuthor Commented:
@trywaredk
    point very well taken and I agree, however we have come across a situation where we are at a point that we must evaluate the risks of a password that is known vs. a quick change of them all. Combined with a simple encryption of the batch file to exe. The script woudl be running for such a short time that the risk of leaking out woudl be small.

@PeteLong
  this is more versitiale then the NET command thank you ... i am going to leave this open for a bit longer to see any mroe ideas that people might have.
0
KellyKeetonAuthor Commented:
i heard there is a VB script that will allow the chang of the local admin password from a remote box.

(i from my box enter client name and password to change to)

anyone have a link to this... couldnt find it in search. Then i can just create a big old program to run from my box
0
oBdACommented:
If you have the W2k Resource Kit (or, to be more specific, "cusrmgr.exe", "local.exe", and getsid.exe"), I could offer a batch script that will set the built-in (the SID will be retrieved, it will not go for the actual account name) local Administrator's password and rename the account (if requested). In addition, it will create a log file which, among other information, lists other members of the local Administrators group on each machine, which might be of interest for you--if the admin password leaked, somebody might have created additional accounts with administrative permissions.
It'll be some hours before I have access to the script, so holler if you're interested.
0
JamesDSCommented:
KellyKeeton

The following VBScript code will change an administrator password on a remote machine. If you pad it out with the rest of the automation code it will run as local system when called by a GPO Startup script. I wrote a complete VBScript solution to this problem a while ago, but it's way to large to post the whole lot here.

Cheers

JamesDS


Sub SetNewPassword()

      Set oUser      = GetObject("WinNT://" & strHostName & "/Administrator, user")
      
      oUser.SetPassword strNewPassword
      oUser.SetInfo
      
      Call ErrorHandler()

End Sub
0
trywaredkCommented:
>"i heard there is a VB script that will allow the chang of the local admin password from a remote box"

Well - I thaught that I almost told you enough in the links above, but here it is:

1. Download the free compiler Autoit from http://www.hiddensoft.com/autoit3/downloads.php
2. Download psexec.exe from http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
3. Create a ChangeLocalPassword.au3 like the one below
4. Compile ChangeLocalPassword.au3, and you will have an binary ChangeLocalPassword.exe
5. Create a ChangeLocalAdminPwAndLogUsers.vbs like the one below
6. Place the psexec.exe and your 3 files (au3, exe and vbs) on a hidden share on your domain controller, where only domain admins can read.
7. Logon as domain admin and run the vbs-file with %systemroot%\system32\wscript.exe

Test this line on one computer before running the whole stuff:
ChangeLocalPassword.exe YourTestComputerName

Only securityrisk in this setup is the au3 file - rename the passwords to xxxxxx and zzzzz after compiling, and you don't have any risks anymore. You actually could place the vbs-file and compiled exe-file in \\yourservername\netlogon


--- ChangeLocalPassword.au3 --------------------------------------------------------------------------------------------------------------
Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Administrator"
$DomainName = "YourDomainName"
$DomainAdminPassword = "zzzzzzzzzzzzzzzzzzzzzz"
$LocalAdminPassword = "xxxxxxxxxxxxxxxxxxxxxxx"

$RunProgram = "psexec.exe $CmdLine[1] cmd /c Net user $UserName $LocalAdminPassword"
$RunPath = "\\YourServerName\YourHiddenShareName"

RunAsSet ( $UserName, $DomainName, $DomainAdminPassword )

$val = RunWait($RunProgram, $RunPath, @SW_MAXIMIZE)
-------------------------------------------------------------------------------------------------------------------


 
--- ChangeLocalAdminPwAndLogUsers.vbs ------------------------------------------------------------------------------------------------
On Error Resume Next

dim oFso, oFile, sFileName

Dim oDomain, wshShell
Dim sProgramNavn, sMsgBoxTitle, sDomainInput, sLocalAdminGroup, sDomain, sNotepadWindowName
Dim bStatus

     sMsgBoxTitle="Collect members of local admin group."
     sDomainInput="YourDomainName"
     sLocalAdminGroup = "Administrators"              
     sProgramNavn="EnumLocalAdminGroup"
     sFileName="C:\TEMP\" & sProgramNavn & ".txt"
     sNotepadWindowName="Notepad"
     
     Set WshShell = WScript.CreateObject("WScript.Shell")
     Set oFso=CreateObject("Scripting.FileSystemObject")
     Set oFile=oFso.CreateTextFile(sFileName)

     sLocalAdminGroup = uCase(sLocalAdminGroup)
     
     
     
Function ChangeLocalAdminPwAndLogUsers(sDomainName,sComputer)
  Dim colGroups, oGroup, oUser
  Dim sFound, sTab, wshShell
  Set WshShell = WScript.CreateObject("WScript.Shell")

     sTab = vbTab
     If Len(sDomainName & "/" & sComputer) <= 15 Then sTab = vbTab & vbTab
     
     Set colGroups = GetObject("WinNT://" & sComputer & "")    
     colGroups.Filter = Array("group")
     
     For Each oGroup In colGroups
          If uCase(oGroup.Name) = sLocalAdminGroup Then
              For Each oUser in oGroup.Members
                   sFound = sDomainName & "/" & sComputer & sTab & oGroup.Name & sTab & oUser.Name
                    oFile.WriteLine sFound
              Next
          End if              
     Next
     
     wshShel.Run "\\YourServerName\YourHiddenShareName\ChangeLocalPassword.exe sComputer",0

     Set colGroups=Nothing
     Set oGroup=Nothing
     Set oUser=Nothing
     Set wshShell=Nothing
End Function


'********************* MAIN PROGRAM **********************


     sDomain=InputBox("Input DomainName",sMsgBoxTitle,sDomainInput)

     If sDomain="" Then
          MsgBox "Domainname is missing - try again."
          wScript.Quit
     End If

     Set oDomain = GetObject("WinNT://" & sDomain)

     oDomain.Filter = Array("computer")
     MsgBox "Press OK, and wait a minute for each online computer ..."

     oFile.WriteLine "Collect members of local admin group for all online computers in domain " & sDomain & vbCrLf & vbCrLf
     oFile.WriteLine "COMPUTERNAME:" & vbTab & vbTab & "MEMBERS OF LOCAL ADMIN GROUP:"
     oFile.WriteLine "-------------" & vbTab & vbTab & "-----------------------------"

     For Each Computer in oDomain
          bStatus = ChangeLocalAdminPwAndLogUsers(sDomain,Computer.Name)
     Next

     oFile.WriteLine vbCrlf & vbCrlf
     oFile.WriteLine "-----------------------------------------------------------------------------------------------"
     oFile.WriteLine sProgramNavn & ".cis" & vbCrLf & Now & vbCrLf & vbCrLF
     
     
     wScript.sleep 1000
     WshShell.Run ("%windir%\notepad " & sFileName)

     wScript.sleep 1000
     WshShell.AppActivate sNotepadWindowName
       
     Set oDomain=Nothing
     Set wshShell=Nothing
     Set oFso=Nothing
     
Wscript.Quit
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KellyKeetonAuthor Commented:
@trywaredk
0
KellyKeetonAuthor Commented:
@trywaredk
thanks this looks like the most controled that i will be able to use on my domain.

@PeteLong
thanks as well
0
trywaredkCommented:
:o) Glad I could help you - thank you for the points
0
Pete LongTechnical ConsultantCommented:
:)
0
cjdavis618Commented:
There is also a tool from sysinternals that can do this as well. It is a gui and can select the whole domain if you want and change all to a single password at once.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.