Solved

Can you cange Client Local Administrator Password via Active directory?

Posted on 2004-04-07
14
4,793 Views
Last Modified: 2013-12-04
I am wondering if you can create a policy to change the local admin password on every client in a OU (or domain)

I am aware of the http://support.microsoft.com/default.aspx?scid=kb;EN-US;q149427 however i want to use this as a 2nd option for a logon script, or a VB script that is run on each client.
0
Comment
Question by:KellyKeeton
  • 4
  • 4
  • 3
  • +3
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 10775382
Through policy - I dont think so no Local administrators (and users) are unique to the clients and cannot exist (As a GUID object in Active Directory)

Do this instead

Change All Local Admin Passwords


Change Local Administrator Password Remotely
 

Download the utility 'cryptpwd' from :
http://www.jsiinc.com/tip0300/rh0349.htm

Now just create a textfile containing all your servernames
(e.g. serverlist.txt) and then create a batchfile with the following line :

FOR /F %%x in (serverlist.txt) do cryptpwd -m \\%%x -P newpassword

(where newpassword is the password you want to set as the
local administrator password on the servers.)

(You obviously need to have admin. rights to the servers in order
to change the password.)

This method changes the password immediately.


From http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=1373&CatID=267
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10775393
obviously you can do the client names as well :)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775481
Never have a domain password unencrypted in a batch-file - it could be a great security risk

Instead follow this thread, and find my 2 comments about runas and compiler
http://www.experts-exchange.com/Security/Win_Security/Q_20933972.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775488
0
 

Author Comment

by:KellyKeeton
ID: 10775557
@trywaredk
    point very well taken and I agree, however we have come across a situation where we are at a point that we must evaluate the risks of a password that is known vs. a quick change of them all. Combined with a simple encryption of the batch file to exe. The script woudl be running for such a short time that the risk of leaking out woudl be small.

@PeteLong
  this is more versitiale then the NET command thank you ... i am going to leave this open for a bit longer to see any mroe ideas that people might have.
0
 

Author Comment

by:KellyKeeton
ID: 10775720
i heard there is a VB script that will allow the chang of the local admin password from a remote box.

(i from my box enter client name and password to change to)

anyone have a link to this... couldnt find it in search. Then i can just create a big old program to run from my box
0
 
LVL 83

Expert Comment

by:oBdA
ID: 10775942
If you have the W2k Resource Kit (or, to be more specific, "cusrmgr.exe", "local.exe", and getsid.exe"), I could offer a batch script that will set the built-in (the SID will be retrieved, it will not go for the actual account name) local Administrator's password and rename the account (if requested). In addition, it will create a log file which, among other information, lists other members of the local Administrators group on each machine, which might be of interest for you--if the admin password leaked, somebody might have created additional accounts with administrative permissions.
It'll be some hours before I have access to the script, so holler if you're interested.
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 16

Expert Comment

by:JamesDS
ID: 10781247
KellyKeeton

The following VBScript code will change an administrator password on a remote machine. If you pad it out with the rest of the automation code it will run as local system when called by a GPO Startup script. I wrote a complete VBScript solution to this problem a while ago, but it's way to large to post the whole lot here.

Cheers

JamesDS


Sub SetNewPassword()

      Set oUser      = GetObject("WinNT://" & strHostName & "/Administrator, user")
      
      oUser.SetPassword strNewPassword
      oUser.SetInfo
      
      Call ErrorHandler()

End Sub
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 500 total points
ID: 10781752
>"i heard there is a VB script that will allow the chang of the local admin password from a remote box"

Well - I thaught that I almost told you enough in the links above, but here it is:

1. Download the free compiler Autoit from http://www.hiddensoft.com/autoit3/downloads.php
2. Download psexec.exe from http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
3. Create a ChangeLocalPassword.au3 like the one below
4. Compile ChangeLocalPassword.au3, and you will have an binary ChangeLocalPassword.exe
5. Create a ChangeLocalAdminPwAndLogUsers.vbs like the one below
6. Place the psexec.exe and your 3 files (au3, exe and vbs) on a hidden share on your domain controller, where only domain admins can read.
7. Logon as domain admin and run the vbs-file with %systemroot%\system32\wscript.exe

Test this line on one computer before running the whole stuff:
ChangeLocalPassword.exe YourTestComputerName

Only securityrisk in this setup is the au3 file - rename the passwords to xxxxxx and zzzzz after compiling, and you don't have any risks anymore. You actually could place the vbs-file and compiled exe-file in \\yourservername\netlogon


--- ChangeLocalPassword.au3 --------------------------------------------------------------------------------------------------------------
Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Administrator"
$DomainName = "YourDomainName"
$DomainAdminPassword = "zzzzzzzzzzzzzzzzzzzzzz"
$LocalAdminPassword = "xxxxxxxxxxxxxxxxxxxxxxx"

$RunProgram = "psexec.exe $CmdLine[1] cmd /c Net user $UserName $LocalAdminPassword"
$RunPath = "\\YourServerName\YourHiddenShareName"

RunAsSet ( $UserName, $DomainName, $DomainAdminPassword )

$val = RunWait($RunProgram, $RunPath, @SW_MAXIMIZE)
-------------------------------------------------------------------------------------------------------------------


 
--- ChangeLocalAdminPwAndLogUsers.vbs ------------------------------------------------------------------------------------------------
On Error Resume Next

dim oFso, oFile, sFileName

Dim oDomain, wshShell
Dim sProgramNavn, sMsgBoxTitle, sDomainInput, sLocalAdminGroup, sDomain, sNotepadWindowName
Dim bStatus

     sMsgBoxTitle="Collect members of local admin group."
     sDomainInput="YourDomainName"
     sLocalAdminGroup = "Administrators"              
     sProgramNavn="EnumLocalAdminGroup"
     sFileName="C:\TEMP\" & sProgramNavn & ".txt"
     sNotepadWindowName="Notepad"
     
     Set WshShell = WScript.CreateObject("WScript.Shell")
     Set oFso=CreateObject("Scripting.FileSystemObject")
     Set oFile=oFso.CreateTextFile(sFileName)

     sLocalAdminGroup = uCase(sLocalAdminGroup)
     
     
     
Function ChangeLocalAdminPwAndLogUsers(sDomainName,sComputer)
  Dim colGroups, oGroup, oUser
  Dim sFound, sTab, wshShell
  Set WshShell = WScript.CreateObject("WScript.Shell")

     sTab = vbTab
     If Len(sDomainName & "/" & sComputer) <= 15 Then sTab = vbTab & vbTab
     
     Set colGroups = GetObject("WinNT://" & sComputer & "")    
     colGroups.Filter = Array("group")
     
     For Each oGroup In colGroups
          If uCase(oGroup.Name) = sLocalAdminGroup Then
              For Each oUser in oGroup.Members
                   sFound = sDomainName & "/" & sComputer & sTab & oGroup.Name & sTab & oUser.Name
                    oFile.WriteLine sFound
              Next
          End if              
     Next
     
     wshShel.Run "\\YourServerName\YourHiddenShareName\ChangeLocalPassword.exe sComputer",0

     Set colGroups=Nothing
     Set oGroup=Nothing
     Set oUser=Nothing
     Set wshShell=Nothing
End Function


'********************* MAIN PROGRAM **********************


     sDomain=InputBox("Input DomainName",sMsgBoxTitle,sDomainInput)

     If sDomain="" Then
          MsgBox "Domainname is missing - try again."
          wScript.Quit
     End If

     Set oDomain = GetObject("WinNT://" & sDomain)

     oDomain.Filter = Array("computer")
     MsgBox "Press OK, and wait a minute for each online computer ..."

     oFile.WriteLine "Collect members of local admin group for all online computers in domain " & sDomain & vbCrLf & vbCrLf
     oFile.WriteLine "COMPUTERNAME:" & vbTab & vbTab & "MEMBERS OF LOCAL ADMIN GROUP:"
     oFile.WriteLine "-------------" & vbTab & vbTab & "-----------------------------"

     For Each Computer in oDomain
          bStatus = ChangeLocalAdminPwAndLogUsers(sDomain,Computer.Name)
     Next

     oFile.WriteLine vbCrlf & vbCrlf
     oFile.WriteLine "-----------------------------------------------------------------------------------------------"
     oFile.WriteLine sProgramNavn & ".cis" & vbCrLf & Now & vbCrLf & vbCrLF
     
     
     wScript.sleep 1000
     WshShell.Run ("%windir%\notepad " & sFileName)

     wScript.sleep 1000
     WshShell.AppActivate sNotepadWindowName
       
     Set oDomain=Nothing
     Set wshShell=Nothing
     Set oFso=Nothing
     
Wscript.Quit
0
 

Author Comment

by:KellyKeeton
ID: 10783962
@trywaredk
0
 

Author Comment

by:KellyKeeton
ID: 10783972
@trywaredk
thanks this looks like the most controled that i will be able to use on my domain.

@PeteLong
thanks as well
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10790129
:o) Glad I could help you - thank you for the points
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10790448
:)
0
 
LVL 1

Expert Comment

by:cjdavis618
ID: 10943894
There is also a tool from sysinternals that can do this as well. It is a gui and can select the whole domain if you want and change all to a single password at once.

0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now