We help IT Professionals succeed at work.

Change Local Admin Password Vbs

nemeia
nemeia asked
on
I want to change all of computers local administrator account. There is a VBS about this situation in The Portable Script Center :

strComputer = "atl-ws-01"
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")

objUser.SetPassword "09iuy%4e"
objUser.SetInfo

On GPO Computer Configuration it has done windows settigs startup scripts
This vbs should be shared on the DC path= \\DC.INT\SYSVOL\DC.INT\SCRIPTS
I tried this solution but how can i protect that folder from domain users?
They can see this vbs and what does included ?

Comment
Watch Question

Change the permissions of the VBS, remove inherited permissions and add Authenticated Users with advanced permissions to Traverse Folder / Execute File Allow only

Hopefully they can execute the script, but they cannot browse to it to be able to view it.

My concern is... your standard users have the rights to change the local administrators password???  That's bad.
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
Also, you can use the Microsoft Script Encoder to scramble the text in the VBS file, which gets converted to a VBE file.  Keep the VBS file then in a more secure location.

But I also agree with Lester.....while your Domain Users run a login script, they have the ability to change local admin passwords....that means they "are" local admins, doesn't it?

Regards,

Rob.

Author

Commented:
I tried to give Traverse Folder / Execute File Allow only permisson.
if they cant read this script that will not work. They can't able to view it so it doesnt work.
My standard users doesn't have a permission to change local administrator password.
I applied the GPO computers on Acive Directory computers account are moved a Organizational Unit which GPO applied.
In this way does not give a permission to change local admin passwd for standart users.
That computer has two local admin users computer\administrator, Domain.Com\Domain Admins there is no any administrator account.
I will check the Microsoft Script Encoder. I could make an encrypted script.

Thank you for your information.
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
If you run a new script as a StartUp Script, instead of a Login Script, you will be able to use just these three lines:

    strComputer = "."
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    objUser.SetPassword "x%tY7iu8%4f"

This will have the ability to reset the password because the script will run using the local System account of the computer that runs it.

Regards,

Rob.

Author

Commented:

The problem was solved by removed Authenticated User on that scripts and Add Computer Accounts

on security tab. In this way standard users are not able to view this script.

I also tried your solution Rob but it doesn't work. It uses computer account permissions.

Because when i removed computer accounts on scripts security tab it doesn't work.

Thanks all of you :)
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
That's great.  Yes, my solution does require computer permissions, because it uses the local System account, not an ordinary user account, when run as a StartUp script.

But it's great that you got it working.

Regards,

Rob.
PAQed with points refunded (125)

Computer101
EE Admin

Explore More ContentExplore courses, solutions, and other research materials related to this topic.