Solved

Change local admin password on all desktops

Posted on 2006-11-19
14
328 Views
Last Modified: 2008-02-01
I would like to change the local admin account on all 500 of the desktops in my domain.  Is there a simple way to do this?  I would like to change it to the same password for all local admin.

I also would like to ensure that the users do not have admin rights to their local machines.

Thanks
0
Comment
Question by:darovitz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +1
14 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 250 total points
ID: 17976788
you can use restricted groups to control local admin rights
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

and a script like this one to reset admin passwords
http://articles.techrepublic.com.com/5100-1035_11-5198818.html
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17976799
Where atl-ws-01 is the workstation,

Set objUser = GetObject("WinNT://atl-ws-01/administrator")
objUser.SetPassword("AdminPassword")


or to change all the computers in an OU:

Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")

For Each objItem in objOU
    strComputer = objItem.CN
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    objUser.SetPassword("i5A2sj*!")
Next

acquired from: http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx

To determine if the user is a local admin, this script should do the trick...(taken from http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug04/hey0805.mspx)

Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
strUser = objNetwork.UserName

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser in objGroup.Members
    If objUser.Name = strUser Then
        Wscript.Echo strUser & " is a local administrator."
    End If
Next


Let me know if you need further assistance with this.

~sirbounty
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17976803
Should've refreshed first - sorry Jay_Jay70
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17976824
No need for apologies my friend
0
 
LVL 8

Expert Comment

by:nitadmin
ID: 17976921
I agree with sirbounty, use the script from Microsoft's Technet article. Script Guy has a lot of greate scripts for System Administrators.

http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx

I have used this script, and it works perfectly, without any problems.

Cheers,
NITADMIN

0
 

Author Comment

by:darovitz
ID: 17985309
Ok, which one is best restricted group or the script.  I am leaning toward the restricted group.
0
 
LVL 8

Expert Comment

by:nitadmin
ID: 17985482
It depends, on Personal preferences.


I would prefer changing the local administrator password and not letting anyone have local administrator or local power user permissions.

Cheers,
NITADMIN
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17985604
well its like comparing apple and oranges....the script reports on the members and resets the passwords, whereas the restricted groups controls the members

And if you work in an environment where you can get away with not even power user permissions then you are a lucky man.....in reality, it doesnt work unless you have a monster IT policy in place
0
 

Author Comment

by:darovitz
ID: 17989828
woman... smile
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17991022
Oh how good do i now feel **Grin**......Twice i have done this on the boards now....Deep apologies!    You are a lucky woman :) :) :)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 17991125
Methinks we should start changing the blue banner to pink for comments that come from fairer sex...I too have made that mistake many times... :$
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17991206
Has my vote...I love feeling like a turkey.....
0
 

Author Comment

by:darovitz
ID: 17996580
You guys are killing me.  Pretty soon I'll be able to answer questions on here and catch up (I'm too busy to answer questions, smile).  Anyway I haven't gotten this to work yet.  I did do the restricted groups part (thanks Jay) and that works BUt haven't been able to change the password for all my machines. The one script requried I import a list of all my machines into it (too much work).... haven't look at the rest yet.  I just want to change from a txt to a vbs (maybe change my domain info) and that's it.  Lazy.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17999895
ah but you can automate the text file build with a dsquery command where you query for all machines in your domain :) trust me, all admins are lazy, thats why ms are so good with automation!

dsquery computer "dc=domain,dc=local" > C:\Computername.txt
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question