• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5038
  • Last Modified:

Can you cange Client Local Administrator Password via Active directory?

I am wondering if you can create a policy to change the local admin password on every client in a OU (or domain)

I am aware of the http://support.microsoft.com/default.aspx?scid=kb;EN-US;q149427 however i want to use this as a 2nd option for a logon script, or a VB script that is run on each client.
  • 4
  • 4
  • 3
  • +3
1 Solution
Pete LongTechnical ConsultantCommented:
Through policy - I dont think so no Local administrators (and users) are unique to the clients and cannot exist (As a GUID object in Active Directory)

Do this instead

Change All Local Admin Passwords

Change Local Administrator Password Remotely

Download the utility 'cryptpwd' from :

Now just create a textfile containing all your servernames
(e.g. serverlist.txt) and then create a batchfile with the following line :

FOR /F %%x in (serverlist.txt) do cryptpwd -m \\%%x -P newpassword

(where newpassword is the password you want to set as the
local administrator password on the servers.)

(You obviously need to have admin. rights to the servers in order
to change the password.)

This method changes the password immediately.

From http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=1373&CatID=267
Pete LongTechnical ConsultantCommented:
obviously you can do the client names as well :)
Never have a domain password unencrypted in a batch-file - it could be a great security risk

Instead follow this thread, and find my 2 comments about runas and compiler

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

KellyKeetonAuthor Commented:
    point very well taken and I agree, however we have come across a situation where we are at a point that we must evaluate the risks of a password that is known vs. a quick change of them all. Combined with a simple encryption of the batch file to exe. The script woudl be running for such a short time that the risk of leaking out woudl be small.

  this is more versitiale then the NET command thank you ... i am going to leave this open for a bit longer to see any mroe ideas that people might have.
KellyKeetonAuthor Commented:
i heard there is a VB script that will allow the chang of the local admin password from a remote box.

(i from my box enter client name and password to change to)

anyone have a link to this... couldnt find it in search. Then i can just create a big old program to run from my box
If you have the W2k Resource Kit (or, to be more specific, "cusrmgr.exe", "local.exe", and getsid.exe"), I could offer a batch script that will set the built-in (the SID will be retrieved, it will not go for the actual account name) local Administrator's password and rename the account (if requested). In addition, it will create a log file which, among other information, lists other members of the local Administrators group on each machine, which might be of interest for you--if the admin password leaked, somebody might have created additional accounts with administrative permissions.
It'll be some hours before I have access to the script, so holler if you're interested.

The following VBScript code will change an administrator password on a remote machine. If you pad it out with the rest of the automation code it will run as local system when called by a GPO Startup script. I wrote a complete VBScript solution to this problem a while ago, but it's way to large to post the whole lot here.



Sub SetNewPassword()

      Set oUser      = GetObject("WinNT://" & strHostName & "/Administrator, user")
      oUser.SetPassword strNewPassword
      Call ErrorHandler()

End Sub
>"i heard there is a VB script that will allow the chang of the local admin password from a remote box"

Well - I thaught that I almost told you enough in the links above, but here it is:

1. Download the free compiler Autoit from http://www.hiddensoft.com/autoit3/downloads.php
2. Download psexec.exe from http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
3. Create a ChangeLocalPassword.au3 like the one below
4. Compile ChangeLocalPassword.au3, and you will have an binary ChangeLocalPassword.exe
5. Create a ChangeLocalAdminPwAndLogUsers.vbs like the one below
6. Place the psexec.exe and your 3 files (au3, exe and vbs) on a hidden share on your domain controller, where only domain admins can read.
7. Logon as domain admin and run the vbs-file with %systemroot%\system32\wscript.exe

Test this line on one computer before running the whole stuff:
ChangeLocalPassword.exe YourTestComputerName

Only securityrisk in this setup is the au3 file - rename the passwords to xxxxxx and zzzzz after compiling, and you don't have any risks anymore. You actually could place the vbs-file and compiled exe-file in \\yourservername\netlogon

--- ChangeLocalPassword.au3 --------------------------------------------------------------------------------------------------------------
Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Administrator"
$DomainName = "YourDomainName"
$DomainAdminPassword = "zzzzzzzzzzzzzzzzzzzzzz"
$LocalAdminPassword = "xxxxxxxxxxxxxxxxxxxxxxx"

$RunProgram = "psexec.exe $CmdLine[1] cmd /c Net user $UserName $LocalAdminPassword"
$RunPath = "\\YourServerName\YourHiddenShareName"

RunAsSet ( $UserName, $DomainName, $DomainAdminPassword )

$val = RunWait($RunProgram, $RunPath, @SW_MAXIMIZE)

--- ChangeLocalAdminPwAndLogUsers.vbs ------------------------------------------------------------------------------------------------
On Error Resume Next

dim oFso, oFile, sFileName

Dim oDomain, wshShell
Dim sProgramNavn, sMsgBoxTitle, sDomainInput, sLocalAdminGroup, sDomain, sNotepadWindowName
Dim bStatus

     sMsgBoxTitle="Collect members of local admin group."
     sLocalAdminGroup = "Administrators"              
     sFileName="C:\TEMP\" & sProgramNavn & ".txt"
     Set WshShell = WScript.CreateObject("WScript.Shell")
     Set oFso=CreateObject("Scripting.FileSystemObject")
     Set oFile=oFso.CreateTextFile(sFileName)

     sLocalAdminGroup = uCase(sLocalAdminGroup)
Function ChangeLocalAdminPwAndLogUsers(sDomainName,sComputer)
  Dim colGroups, oGroup, oUser
  Dim sFound, sTab, wshShell
  Set WshShell = WScript.CreateObject("WScript.Shell")

     sTab = vbTab
     If Len(sDomainName & "/" & sComputer) <= 15 Then sTab = vbTab & vbTab
     Set colGroups = GetObject("WinNT://" & sComputer & "")    
     colGroups.Filter = Array("group")
     For Each oGroup In colGroups
          If uCase(oGroup.Name) = sLocalAdminGroup Then
              For Each oUser in oGroup.Members
                   sFound = sDomainName & "/" & sComputer & sTab & oGroup.Name & sTab & oUser.Name
                    oFile.WriteLine sFound
          End if              
     wshShel.Run "\\YourServerName\YourHiddenShareName\ChangeLocalPassword.exe sComputer",0

     Set colGroups=Nothing
     Set oGroup=Nothing
     Set oUser=Nothing
     Set wshShell=Nothing
End Function

'********************* MAIN PROGRAM **********************

     sDomain=InputBox("Input DomainName",sMsgBoxTitle,sDomainInput)

     If sDomain="" Then
          MsgBox "Domainname is missing - try again."
     End If

     Set oDomain = GetObject("WinNT://" & sDomain)

     oDomain.Filter = Array("computer")
     MsgBox "Press OK, and wait a minute for each online computer ..."

     oFile.WriteLine "Collect members of local admin group for all online computers in domain " & sDomain & vbCrLf & vbCrLf
     oFile.WriteLine "COMPUTERNAME:" & vbTab & vbTab & "MEMBERS OF LOCAL ADMIN GROUP:"
     oFile.WriteLine "-------------" & vbTab & vbTab & "-----------------------------"

     For Each Computer in oDomain
          bStatus = ChangeLocalAdminPwAndLogUsers(sDomain,Computer.Name)

     oFile.WriteLine vbCrlf & vbCrlf
     oFile.WriteLine "-----------------------------------------------------------------------------------------------"
     oFile.WriteLine sProgramNavn & ".cis" & vbCrLf & Now & vbCrLf & vbCrLF
     wScript.sleep 1000
     WshShell.Run ("%windir%\notepad " & sFileName)

     wScript.sleep 1000
     WshShell.AppActivate sNotepadWindowName
     Set oDomain=Nothing
     Set wshShell=Nothing
     Set oFso=Nothing
KellyKeetonAuthor Commented:
KellyKeetonAuthor Commented:
thanks this looks like the most controled that i will be able to use on my domain.

thanks as well
:o) Glad I could help you - thank you for the points
Pete LongTechnical ConsultantCommented:
There is also a tool from sysinternals that can do this as well. It is a gui and can select the whole domain if you want and change all to a single password at once.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now