• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1208
  • Last Modified:

Rollout a Local Admin password change over a 2000 domain with win XP clients.

I have a domain controller (b1) and Windows XP clients.
The clients can have one of two local admin passwords, however I would like to change that to just one.
Is there anyway I can rollout a change? (I can remotly shutdown a workstation)
0
mnb93
Asked:
mnb93
  • 4
  • 3
  • 3
2 Solutions
 
Chris DentPowerShell DeveloperCommented:

Yep there's a way...

But how do you want to do it? Work from a list of PCs? Work for every PC in AD (except DCs)? Work for every PC in a specific OU (or group of OUs)?

Otherwise all you really have to do is this for each of them:

Set objUser = GetObject("WinNT://<ComputerName>/Administrator, user")
objUser.SetPassword("<NewPassword>")

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Should have noted.. the two lines above are VbScript and would need saving to a .vbs file if you want to test it on a specific PC.

Chris
0
 
rsivanandanCommented:
Another way;

Go to http://www.sysinternals.com/Utilities/PsPasswd.html and get the pspasswd utility.

Then just run it this way;

Make a text file, lets call it 'file' and put in your machine names one by one into it. You can easily do it by exporting an AD query to a text file.

pspasswd @file Administrator <newpassword>

Run it with domain administrator privilege and you are done. Just create a batch file and keep it for future.

Batch File:

pspasswd @file Administrator %1

Save the above into 'change.bat' and invoke it as 'change.bat <newpassword>'

Cheers,
Rajesh

0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
mnb93Author Commented:
"Work for every PC in AD" yes.

And where do I run your code?
0
 
mnb93Author Commented:
pspasswd @file Administrator <newpassword>

Will that change it for every computer on the domain?
0
 
rsivanandanCommented:
For all the computers you have listed in the 'file'.

You can extract all the computer names from the AD itself by using the query.

Cheers,
Rajesh
0
 
mnb93Author Commented:
What query?
0
 
rsivanandanCommented:
When you open Active Directory Users and Groups MMC snap-in, you can see 'Saved Queries'. Go in there and create a query to list all the computers that are registered to Active Directory and save it to a file.

Cheers,
Rajesh
0
 
Chris DentPowerShell DeveloperCommented:

Here's a script that'll do it. It's best run from the command line because of how it dumps out error messages. To do that you'd have to open a command prompt, go to wherever the script is and run it with "cscript <scriptname.vbs>" (cscript is the command line processor for VBS). All the error handling can be changed if you want.

Right now it only skips computers in the Domain Controllers OU, if you want to skip more than that then just say what and we can figure out how.

The only bit you need to change is this line:

objUser.SetPassword "NewPassword"

Where it needs the password you want to set.

The script should run from anywhere, you'll obviously need to run it with an account that has permission to change the passwords.

Finally, it takes quite a while to run if you have a lot of dead computer accounts in your domain.


Const ADS_SCOPE_SUBTREE = 2

Dim objConnection, objCommand, objRecordSet, objRootDSE
Dim strPath, strName

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT aDSPath, name FROM 'LDAP://" &_
      objRootDSE.Get("defaultNamingContext") & "' WHERE objectClass='computer'"
Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
      strPath = objRecordSet.Fields("aDSPath")
      If Not InStr(strPath, "Domain Controllers") Then
            strName = objRecordSet.Fields("name")
            On Error Resume Next
            Err.Clear
            Set objUser = GetObject("WinNT://" & strName & "/Administrator, user")
            If Err.Number <> 0 Then
                  WScript.Echo "Failed to Connect to Computer: " & strName
            Else
                  Err.Clear
                  objUser.SetPassword "NewPassword"
                  If Err.Number <> 0 Then
                        WScript.Echo "Failed to Change Password: " & strName
                  Else
                        WScript.Echo "Password Changed: " & strName
                  End If
            End If
            On Error Goto 0
      End If
      objRecordSet.MoveNext
Wend

objConnection.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
0
 
mnb93Author Commented:
What I ended up doing:
pspasswd \\* Administrator newpassword

(But you both get points.)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now