Change Local Admin Password Vbs

I want to change all of computers local administrator account. There is a VBS about this situation in The Portable Script Center :

strComputer = "atl-ws-01"
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")

objUser.SetPassword "09iuy%4e"

On GPO Computer Configuration it has done windows settigs startup scripts
This vbs should be shared on the DC path= \\DC.INT\SYSVOL\DC.INT\SCRIPTS
I tried this solution but how can i protect that folder from domain users?
They can see this vbs and what does included ?

Who is Participating?
Computer101Connect With a Mentor Commented:
PAQed with points refunded (125)

EE Admin
Change the permissions of the VBS, remove inherited permissions and add Authenticated Users with advanced permissions to Traverse Folder / Execute File Allow only

Hopefully they can execute the script, but they cannot browse to it to be able to view it.

My concern is... your standard users have the rights to change the local administrators password???  That's bad.
Also, you can use the Microsoft Script Encoder to scramble the text in the VBS file, which gets converted to a VBE file.  Keep the VBS file then in a more secure location.

But I also agree with Lester.....while your Domain Users run a login script, they have the ability to change local admin passwords....that means they "are" local admins, doesn't it?


Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

nemeiaAuthor Commented:
I tried to give Traverse Folder / Execute File Allow only permisson.
if they cant read this script that will not work. They can't able to view it so it doesnt work.
My standard users doesn't have a permission to change local administrator password.
I applied the GPO computers on Acive Directory computers account are moved a Organizational Unit which GPO applied.
In this way does not give a permission to change local admin passwd for standart users.
That computer has two local admin users computer\administrator, Domain.Com\Domain Admins there is no any administrator account.
I will check the Microsoft Script Encoder. I could make an encrypted script.

Thank you for your information.
If you run a new script as a StartUp Script, instead of a Login Script, you will be able to use just these three lines:

    strComputer = "."
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    objUser.SetPassword "x%tY7iu8%4f"

This will have the ability to reset the password because the script will run using the local System account of the computer that runs it.


nemeiaAuthor Commented:

The problem was solved by removed Authenticated User on that scripts and Add Computer Accounts

on security tab. In this way standard users are not able to view this script.

I also tried your solution Rob but it doesn't work. It uses computer account permissions.

Because when i removed computer accounts on scripts security tab it doesn't work.

Thanks all of you :)
That's great.  Yes, my solution does require computer permissions, because it uses the local System account, not an ordinary user account, when run as a StartUp script.

But it's great that you got it working.


All Courses

From novice to tech pro — start learning today.