Solved

Can you cange Client Local Administrator Password via Active directory?

Posted on 2004-04-07
14
4,828 Views
Last Modified: 2013-12-04
I am wondering if you can create a policy to change the local admin password on every client in a OU (or domain)

I am aware of the http://support.microsoft.com/default.aspx?scid=kb;EN-US;q149427 however i want to use this as a 2nd option for a logon script, or a VB script that is run on each client.
0
Comment
Question by:KellyKeeton
  • 4
  • 4
  • 3
  • +3
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 10775382
Through policy - I dont think so no Local administrators (and users) are unique to the clients and cannot exist (As a GUID object in Active Directory)

Do this instead

Change All Local Admin Passwords


Change Local Administrator Password Remotely
 

Download the utility 'cryptpwd' from :
http://www.jsiinc.com/tip0300/rh0349.htm

Now just create a textfile containing all your servernames
(e.g. serverlist.txt) and then create a batchfile with the following line :

FOR /F %%x in (serverlist.txt) do cryptpwd -m \\%%x -P newpassword

(where newpassword is the password you want to set as the
local administrator password on the servers.)

(You obviously need to have admin. rights to the servers in order
to change the password.)

This method changes the password immediately.


From http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=1373&CatID=267
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10775393
obviously you can do the client names as well :)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10775481
Never have a domain password unencrypted in a batch-file - it could be a great security risk

Instead follow this thread, and find my 2 comments about runas and compiler
http://www.experts-exchange.com/Security/Win_Security/Q_20933972.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10775488
0
 

Author Comment

by:KellyKeeton
ID: 10775557
@trywaredk
    point very well taken and I agree, however we have come across a situation where we are at a point that we must evaluate the risks of a password that is known vs. a quick change of them all. Combined with a simple encryption of the batch file to exe. The script woudl be running for such a short time that the risk of leaking out woudl be small.

@PeteLong
  this is more versitiale then the NET command thank you ... i am going to leave this open for a bit longer to see any mroe ideas that people might have.
0
 

Author Comment

by:KellyKeeton
ID: 10775720
i heard there is a VB script that will allow the chang of the local admin password from a remote box.

(i from my box enter client name and password to change to)

anyone have a link to this... couldnt find it in search. Then i can just create a big old program to run from my box
0
 
LVL 83

Expert Comment

by:oBdA
ID: 10775942
If you have the W2k Resource Kit (or, to be more specific, "cusrmgr.exe", "local.exe", and getsid.exe"), I could offer a batch script that will set the built-in (the SID will be retrieved, it will not go for the actual account name) local Administrator's password and rename the account (if requested). In addition, it will create a log file which, among other information, lists other members of the local Administrators group on each machine, which might be of interest for you--if the admin password leaked, somebody might have created additional accounts with administrative permissions.
It'll be some hours before I have access to the script, so holler if you're interested.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10781247
KellyKeeton

The following VBScript code will change an administrator password on a remote machine. If you pad it out with the rest of the automation code it will run as local system when called by a GPO Startup script. I wrote a complete VBScript solution to this problem a while ago, but it's way to large to post the whole lot here.

Cheers

JamesDS


Sub SetNewPassword()

      Set oUser      = GetObject("WinNT://" & strHostName & "/Administrator, user")
      
      oUser.SetPassword strNewPassword
      oUser.SetInfo
      
      Call ErrorHandler()

End Sub
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 500 total points
ID: 10781752
>"i heard there is a VB script that will allow the chang of the local admin password from a remote box"

Well - I thaught that I almost told you enough in the links above, but here it is:

1. Download the free compiler Autoit from http://www.hiddensoft.com/autoit3/downloads.php
2. Download psexec.exe from http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
3. Create a ChangeLocalPassword.au3 like the one below
4. Compile ChangeLocalPassword.au3, and you will have an binary ChangeLocalPassword.exe
5. Create a ChangeLocalAdminPwAndLogUsers.vbs like the one below
6. Place the psexec.exe and your 3 files (au3, exe and vbs) on a hidden share on your domain controller, where only domain admins can read.
7. Logon as domain admin and run the vbs-file with %systemroot%\system32\wscript.exe

Test this line on one computer before running the whole stuff:
ChangeLocalPassword.exe YourTestComputerName

Only securityrisk in this setup is the au3 file - rename the passwords to xxxxxx and zzzzz after compiling, and you don't have any risks anymore. You actually could place the vbs-file and compiled exe-file in \\yourservername\netlogon


--- ChangeLocalPassword.au3 --------------------------------------------------------------------------------------------------------------
Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Administrator"
$DomainName = "YourDomainName"
$DomainAdminPassword = "zzzzzzzzzzzzzzzzzzzzzz"
$LocalAdminPassword = "xxxxxxxxxxxxxxxxxxxxxxx"

$RunProgram = "psexec.exe $CmdLine[1] cmd /c Net user $UserName $LocalAdminPassword"
$RunPath = "\\YourServerName\YourHiddenShareName"

RunAsSet ( $UserName, $DomainName, $DomainAdminPassword )

$val = RunWait($RunProgram, $RunPath, @SW_MAXIMIZE)
-------------------------------------------------------------------------------------------------------------------


 
--- ChangeLocalAdminPwAndLogUsers.vbs ------------------------------------------------------------------------------------------------
On Error Resume Next

dim oFso, oFile, sFileName

Dim oDomain, wshShell
Dim sProgramNavn, sMsgBoxTitle, sDomainInput, sLocalAdminGroup, sDomain, sNotepadWindowName
Dim bStatus

     sMsgBoxTitle="Collect members of local admin group."
     sDomainInput="YourDomainName"
     sLocalAdminGroup = "Administrators"              
     sProgramNavn="EnumLocalAdminGroup"
     sFileName="C:\TEMP\" & sProgramNavn & ".txt"
     sNotepadWindowName="Notepad"
     
     Set WshShell = WScript.CreateObject("WScript.Shell")
     Set oFso=CreateObject("Scripting.FileSystemObject")
     Set oFile=oFso.CreateTextFile(sFileName)

     sLocalAdminGroup = uCase(sLocalAdminGroup)
     
     
     
Function ChangeLocalAdminPwAndLogUsers(sDomainName,sComputer)
  Dim colGroups, oGroup, oUser
  Dim sFound, sTab, wshShell
  Set WshShell = WScript.CreateObject("WScript.Shell")

     sTab = vbTab
     If Len(sDomainName & "/" & sComputer) <= 15 Then sTab = vbTab & vbTab
     
     Set colGroups = GetObject("WinNT://" & sComputer & "")    
     colGroups.Filter = Array("group")
     
     For Each oGroup In colGroups
          If uCase(oGroup.Name) = sLocalAdminGroup Then
              For Each oUser in oGroup.Members
                   sFound = sDomainName & "/" & sComputer & sTab & oGroup.Name & sTab & oUser.Name
                    oFile.WriteLine sFound
              Next
          End if              
     Next
     
     wshShel.Run "\\YourServerName\YourHiddenShareName\ChangeLocalPassword.exe sComputer",0

     Set colGroups=Nothing
     Set oGroup=Nothing
     Set oUser=Nothing
     Set wshShell=Nothing
End Function


'********************* MAIN PROGRAM **********************


     sDomain=InputBox("Input DomainName",sMsgBoxTitle,sDomainInput)

     If sDomain="" Then
          MsgBox "Domainname is missing - try again."
          wScript.Quit
     End If

     Set oDomain = GetObject("WinNT://" & sDomain)

     oDomain.Filter = Array("computer")
     MsgBox "Press OK, and wait a minute for each online computer ..."

     oFile.WriteLine "Collect members of local admin group for all online computers in domain " & sDomain & vbCrLf & vbCrLf
     oFile.WriteLine "COMPUTERNAME:" & vbTab & vbTab & "MEMBERS OF LOCAL ADMIN GROUP:"
     oFile.WriteLine "-------------" & vbTab & vbTab & "-----------------------------"

     For Each Computer in oDomain
          bStatus = ChangeLocalAdminPwAndLogUsers(sDomain,Computer.Name)
     Next

     oFile.WriteLine vbCrlf & vbCrlf
     oFile.WriteLine "-----------------------------------------------------------------------------------------------"
     oFile.WriteLine sProgramNavn & ".cis" & vbCrLf & Now & vbCrLf & vbCrLF
     
     
     wScript.sleep 1000
     WshShell.Run ("%windir%\notepad " & sFileName)

     wScript.sleep 1000
     WshShell.AppActivate sNotepadWindowName
       
     Set oDomain=Nothing
     Set wshShell=Nothing
     Set oFso=Nothing
     
Wscript.Quit
0
 

Author Comment

by:KellyKeeton
ID: 10783962
@trywaredk
0
 

Author Comment

by:KellyKeeton
ID: 10783972
@trywaredk
thanks this looks like the most controled that i will be able to use on my domain.

@PeteLong
thanks as well
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10790129
:o) Glad I could help you - thank you for the points
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10790448
:)
0
 
LVL 1

Expert Comment

by:cjdavis618
ID: 10943894
There is also a tool from sysinternals that can do this as well. It is a gui and can select the whole domain if you want and change all to a single password at once.

0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question