Solved

Rollout a Local Admin password change over a 2000 domain with win XP clients.

Posted on 2006-06-11
10
1,200 Views
Last Modified: 2013-12-23
I have a domain controller (b1) and Windows XP clients.
The clients can have one of two local admin passwords, however I would like to change that to just one.
Is there anyway I can rollout a change? (I can remotly shutdown a workstation)
0
Comment
Question by:mnb93
  • 4
  • 3
  • 3
10 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 16884529

Yep there's a way...

But how do you want to do it? Work from a list of PCs? Work for every PC in AD (except DCs)? Work for every PC in a specific OU (or group of OUs)?

Otherwise all you really have to do is this for each of them:

Set objUser = GetObject("WinNT://<ComputerName>/Administrator, user")
objUser.SetPassword("<NewPassword>")

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 16884533

Should have noted.. the two lines above are VbScript and would need saving to a .vbs file if you want to test it on a specific PC.

Chris
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 300 total points
ID: 16887569
Another way;

Go to http://www.sysinternals.com/Utilities/PsPasswd.html and get the pspasswd utility.

Then just run it this way;

Make a text file, lets call it 'file' and put in your machine names one by one into it. You can easily do it by exporting an AD query to a text file.

pspasswd @file Administrator <newpassword>

Run it with domain administrator privilege and you are done. Just create a batch file and keep it for future.

Batch File:

pspasswd @file Administrator %1

Save the above into 'change.bat' and invoke it as 'change.bat <newpassword>'

Cheers,
Rajesh

0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 5

Author Comment

by:mnb93
ID: 16891857
"Work for every PC in AD" yes.

And where do I run your code?
0
 
LVL 5

Author Comment

by:mnb93
ID: 16891898
pspasswd @file Administrator <newpassword>

Will that change it for every computer on the domain?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16891999
For all the computers you have listed in the 'file'.

You can extract all the computer names from the AD itself by using the query.

Cheers,
Rajesh
0
 
LVL 5

Author Comment

by:mnb93
ID: 16892030
What query?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16892069
When you open Active Directory Users and Groups MMC snap-in, you can see 'Saved Queries'. Go in there and create a query to list all the computers that are registered to Active Directory and save it to a file.

Cheers,
Rajesh
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 200 total points
ID: 16892262

Here's a script that'll do it. It's best run from the command line because of how it dumps out error messages. To do that you'd have to open a command prompt, go to wherever the script is and run it with "cscript <scriptname.vbs>" (cscript is the command line processor for VBS). All the error handling can be changed if you want.

Right now it only skips computers in the Domain Controllers OU, if you want to skip more than that then just say what and we can figure out how.

The only bit you need to change is this line:

objUser.SetPassword "NewPassword"

Where it needs the password you want to set.

The script should run from anywhere, you'll obviously need to run it with an account that has permission to change the passwords.

Finally, it takes quite a while to run if you have a lot of dead computer accounts in your domain.


Const ADS_SCOPE_SUBTREE = 2

Dim objConnection, objCommand, objRecordSet, objRootDSE
Dim strPath, strName

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT aDSPath, name FROM 'LDAP://" &_
      objRootDSE.Get("defaultNamingContext") & "' WHERE objectClass='computer'"
Set objRootDSE = Nothing

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
      strPath = objRecordSet.Fields("aDSPath")
      If Not InStr(strPath, "Domain Controllers") Then
            strName = objRecordSet.Fields("name")
            On Error Resume Next
            Err.Clear
            Set objUser = GetObject("WinNT://" & strName & "/Administrator, user")
            If Err.Number <> 0 Then
                  WScript.Echo "Failed to Connect to Computer: " & strName
            Else
                  Err.Clear
                  objUser.SetPassword "NewPassword"
                  If Err.Number <> 0 Then
                        WScript.Echo "Failed to Change Password: " & strName
                  Else
                        WScript.Echo "Password Changed: " & strName
                  End If
            End If
            On Error Goto 0
      End If
      objRecordSet.MoveNext
Wend

objConnection.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
0
 
LVL 5

Author Comment

by:mnb93
ID: 16957412
What I ended up doing:
pspasswd \\* Administrator newpassword

(But you both get points.)
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VLAN Tag for chained network device. 11 70
DirectAccess - Open ports 2 64
AutoCad licenses 9 81
Changing DHCP scope with a different subnet mask 3 135
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question