Change local admin password on all desktops

I would like to change the local admin account on all 500 of the desktops in my domain.  Is there a simple way to do this?  I would like to change it to the same password for all local admin.

I also would like to ensure that the users do not have admin rights to their local machines.

Thanks
darovitzAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
you can use restricted groups to control local admin rights
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

and a script like this one to reset admin passwords
http://articles.techrepublic.com.com/5100-1035_11-5198818.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sirbountyCommented:
Where atl-ws-01 is the workstation,

Set objUser = GetObject("WinNT://atl-ws-01/administrator")
objUser.SetPassword("AdminPassword")


or to change all the computers in an OU:

Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")

For Each objItem in objOU
    strComputer = objItem.CN
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    objUser.SetPassword("i5A2sj*!")
Next

acquired from: http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx

To determine if the user is a local admin, this script should do the trick...(taken from http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug04/hey0805.mspx)

Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
strUser = objNetwork.UserName

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser in objGroup.Members
    If objUser.Name = strUser Then
        Wscript.Echo strUser & " is a local administrator."
    End If
Next


Let me know if you need further assistance with this.

~sirbounty
0
sirbountyCommented:
Should've refreshed first - sorry Jay_Jay70
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Jay_Jay70Commented:
No need for apologies my friend
0
nitadminCommented:
I agree with sirbounty, use the script from Microsoft's Technet article. Script Guy has a lot of greate scripts for System Administrators.

http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx

I have used this script, and it works perfectly, without any problems.

Cheers,
NITADMIN

0
darovitzAuthor Commented:
Ok, which one is best restricted group or the script.  I am leaning toward the restricted group.
0
nitadminCommented:
It depends, on Personal preferences.


I would prefer changing the local administrator password and not letting anyone have local administrator or local power user permissions.

Cheers,
NITADMIN
0
Jay_Jay70Commented:
well its like comparing apple and oranges....the script reports on the members and resets the passwords, whereas the restricted groups controls the members

And if you work in an environment where you can get away with not even power user permissions then you are a lucky man.....in reality, it doesnt work unless you have a monster IT policy in place
0
darovitzAuthor Commented:
woman... smile
0
Jay_Jay70Commented:
Oh how good do i now feel **Grin**......Twice i have done this on the boards now....Deep apologies!    You are a lucky woman :) :) :)
0
sirbountyCommented:
Methinks we should start changing the blue banner to pink for comments that come from fairer sex...I too have made that mistake many times... :$
0
Jay_Jay70Commented:
Has my vote...I love feeling like a turkey.....
0
darovitzAuthor Commented:
You guys are killing me.  Pretty soon I'll be able to answer questions on here and catch up (I'm too busy to answer questions, smile).  Anyway I haven't gotten this to work yet.  I did do the restricted groups part (thanks Jay) and that works BUt haven't been able to change the password for all my machines. The one script requried I import a list of all my machines into it (too much work).... haven't look at the rest yet.  I just want to change from a txt to a vbs (maybe change my domain info) and that's it.  Lazy.
0
Jay_Jay70Commented:
ah but you can automate the text file build with a dsquery command where you query for all machines in your domain :) trust me, all admins are lazy, thats why ms are so good with automation!

dsquery computer "dc=domain,dc=local" > C:\Computername.txt
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.