[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 351
  • Last Modified:

Is it possible to configure a common paswword for all local admininstrator accounts in a windwos 2000 domain ?

Is it possible to configure a domainwide common password for all local administrator accounts in a windwos 2000/ 2003 domain .

So that all local administrators password will become same and administrator will be able to change all of them at a time if requried.

Any way to do this through in group policy ?
0
SAMJEETM
Asked:
SAMJEETM
  • 4
  • 2
  • 2
  • +2
1 Solution
 
Malli BoppeCommented:
0
 
reubstrCommented:
There is a way, but it isn't manage at a Domain level because the domain isnt aware of the local user accounts. The way to do it is on every machine that goes out, (i did it in the image) create a user like admin001. Set the password.

Whala... But I don't have a solution to do it across a domain.
0
 
gobanCommented:
Yes! You need to use Group Policy to configure Restricted Groups

Create a new user in AD Users and Computers
Create a GPO and navigate to
Computer Configuration\Windows Settings\Restricted Groups\
Right click, Add Group
Browse and add the Administrators group
Add your Username that you created before to the Administrators group

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
reubstrCommented:
Sorry goban, a couple of things. This will wipe out all other groups in Administrators.

Also, this doesn't change any passwords.

Also, SAMJEETM didn't say he had a username before.

SamJeetm, it is recommended you rename the local administrator account through GPO, and create a dumb user named administrator. Reason, Example: all XP machines from the factory have the sam SID for Administrator. Everyone knows that account exists on a machine, and can spoof the SID. Giving full access to the machine.

0
 
balmasriCommented:
you can change the Password of administrator :
-Create a batch file contains the following command :
net user Administrator <yourpassword>
-save it as .bat
-Put it in the Startup script [ computer configuration] in a new created GPO. Link this GPO to all OUs except the domain level and Domain controllers OU.
>>>>Notes:
1) The password in the .bat file will be plain text. It's  better to use a 3rd party software to encrypt this file [ convert it to exe] so that no one will see the password.
2) It's not recommended to use the same password for desktop and servers.
0
 
Netman66Commented:
Don't use Restricted Groups - this has nothing to do with changing passwords.

This article explains how to do it:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;272530

You can modify the script to use a variable for the computername that is read from a text file then loop through the command until it's complete.

It's relatively simple.
0
 
gobanCommented:
I stand by what I posted earlier. SAMJEETM asked if changing (managing)  a local administrator account password could be accomplished through group policy. The link I posted clearly explains how to do this.

It is true that the rules you set in Group Policy will replace/override the local information for the corresponding group. However this is not a problem, you can add all the necessary users and groups back to the local administrator group (such as Domain\DomainAdmins) using the same steps. You will have granular control over users and computers by using different GPOs.

Once you have Restricted Groups working, changing the password of a user with local admin rights is easily accomplished in Active Directory Users and Computers. I recommend SAMJEETM to create a test OU with at least one test computer and apply the group policy there before deploying the policy to production to get a fee for how this works.

You can always toggle your changes on or off by enabling or disabling the GPO.
0
 
Netman66Commented:
Huh?

Restricted Groups has 2 functions:

1)  Enforce membership in Security Groups.
2)  Adding groups to other groups.

There is no mechanism in place to change the local Admin password using Restricted Groups.

That article clearly does NOT state you can change passwords.  

0
 
reubstrCommented:
Netman66 has the change password peice for sure.

But for now, you would have to use local "administrator" password. You could however, rename it at the very least.

Just remember, plain text... be careful.
0
 
reubstrCommented:
here is a script to do it...
' This Script was created by Alex Biliski to add a specified Domain user or group
' to the Administrators local group on whatever computer this script is assigned
' to via a GPO in Active Directory (as a computer startup script)
 
' declare vairables
Dim Net
Dim Shell
Dim LocalGrp
Dim DomGrp
Dim Dom
Dim Username
Dim WSName
Dim Domain
Dim bLocalAdmin
Dim bAdminDirectlyAdded
 
'Initialize as a non-administrator
bLocalAdmin=False
bAdminDirectlyAdded=False
 
Set Shell=WScript.CreateObject("WScript.Shell")
Set Net=WScript.CreateObject("WScript.Network") 'get workstation network config
 
Username="IT"  'set the user or group to add
WSName=Net.ComputerName          'set workstation name
Domain="DOMAINNAME"
 
Set LocalGrp = GetObject("WinNT://"&WSName&"/Administrators") 'enter the local group
'Get the local administrator group object (ADSI)
 
'Check if the username is added directly to the local admin group
For Each LocalObj in LocalGrp.Members
 If LCase(Username) = LCase(LocalObj.Name) Then bLocalAdmin=True 
Next
 
If bLocalAdmin=False Then
  'Check if the username is added directly to the GLOBAL admin group
  Set DomGrp = GetObject("WinNT://" & Domain & "/Domain Admins,group")
 
  'Check if the username is added directly to the GLOBAL admin group
  For Each GlobalObj in DomGrp.Members
    If LCase(Username) = LCase(GlobalObj.Name) Then
      bLocalAdmin=True
      bAdminDirectlyAdded=True
    End If
  Next
End If
 
' Add the user to the local Administrators group
If bLocalAdmin=False Then
  set group = GetObject("WinNT://"&WSName&"/Administrators") 'enter the local group
  'adds the group.
  group.Add "WinNT://"& Domain &"/"& Username &""
End If

Open in new window

0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now