Is it possible to configure a common paswword for all local admininstrator accounts in a windwos 2000 domain ?

Is it possible to configure a domainwide common password for all local administrator accounts in a windwos 2000/ 2003 domain .

So that all local administrators password will become same and administrator will be able to change all of them at a time if requried.

Any way to do this through in group policy ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Malli BoppeCommented:
There is a way, but it isn't manage at a Domain level because the domain isnt aware of the local user accounts. The way to do it is on every machine that goes out, (i did it in the image) create a user like admin001. Set the password.

Whala... But I don't have a solution to do it across a domain.
Yes! You need to use Group Policy to configure Restricted Groups

Create a new user in AD Users and Computers
Create a GPO and navigate to
Computer Configuration\Windows Settings\Restricted Groups\
Right click, Add Group
Browse and add the Administrators group
Add your Username that you created before to the Administrators group
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Sorry goban, a couple of things. This will wipe out all other groups in Administrators.

Also, this doesn't change any passwords.

Also, SAMJEETM didn't say he had a username before.

SamJeetm, it is recommended you rename the local administrator account through GPO, and create a dumb user named administrator. Reason, Example: all XP machines from the factory have the sam SID for Administrator. Everyone knows that account exists on a machine, and can spoof the SID. Giving full access to the machine.

you can change the Password of administrator :
-Create a batch file contains the following command :
net user Administrator <yourpassword>
-save it as .bat
-Put it in the Startup script [ computer configuration] in a new created GPO. Link this GPO to all OUs except the domain level and Domain controllers OU.
1) The password in the .bat file will be plain text. It's  better to use a 3rd party software to encrypt this file [ convert it to exe] so that no one will see the password.
2) It's not recommended to use the same password for desktop and servers.
Don't use Restricted Groups - this has nothing to do with changing passwords.

This article explains how to do it:;EN-US;272530

You can modify the script to use a variable for the computername that is read from a text file then loop through the command until it's complete.

It's relatively simple.
I stand by what I posted earlier. SAMJEETM asked if changing (managing)  a local administrator account password could be accomplished through group policy. The link I posted clearly explains how to do this.

It is true that the rules you set in Group Policy will replace/override the local information for the corresponding group. However this is not a problem, you can add all the necessary users and groups back to the local administrator group (such as Domain\DomainAdmins) using the same steps. You will have granular control over users and computers by using different GPOs.

Once you have Restricted Groups working, changing the password of a user with local admin rights is easily accomplished in Active Directory Users and Computers. I recommend SAMJEETM to create a test OU with at least one test computer and apply the group policy there before deploying the policy to production to get a fee for how this works.

You can always toggle your changes on or off by enabling or disabling the GPO.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

Restricted Groups has 2 functions:

1)  Enforce membership in Security Groups.
2)  Adding groups to other groups.

There is no mechanism in place to change the local Admin password using Restricted Groups.

That article clearly does NOT state you can change passwords.  

Netman66 has the change password peice for sure.

But for now, you would have to use local "administrator" password. You could however, rename it at the very least.

Just remember, plain text... be careful.
here is a script to do it...
' This Script was created by Alex Biliski to add a specified Domain user or group
' to the Administrators local group on whatever computer this script is assigned
' to via a GPO in Active Directory (as a computer startup script)
' declare vairables
Dim Net
Dim Shell
Dim LocalGrp
Dim DomGrp
Dim Dom
Dim Username
Dim WSName
Dim Domain
Dim bLocalAdmin
Dim bAdminDirectlyAdded
'Initialize as a non-administrator
Set Shell=WScript.CreateObject("WScript.Shell")
Set Net=WScript.CreateObject("WScript.Network") 'get workstation network config
Username="IT"  'set the user or group to add
WSName=Net.ComputerName          'set workstation name
Set LocalGrp = GetObject("WinNT://"&WSName&"/Administrators") 'enter the local group
'Get the local administrator group object (ADSI)
'Check if the username is added directly to the local admin group
For Each LocalObj in LocalGrp.Members
 If LCase(Username) = LCase(LocalObj.Name) Then bLocalAdmin=True 
If bLocalAdmin=False Then
  'Check if the username is added directly to the GLOBAL admin group
  Set DomGrp = GetObject("WinNT://" & Domain & "/Domain Admins,group")
  'Check if the username is added directly to the GLOBAL admin group
  For Each GlobalObj in DomGrp.Members
    If LCase(Username) = LCase(GlobalObj.Name) Then
    End If
End If
' Add the user to the local Administrators group
If bLocalAdmin=False Then
  set group = GetObject("WinNT://"&WSName&"/Administrators") 'enter the local group
  'adds the group.
  group.Add "WinNT://"& Domain &"/"& Username &""
End If

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.