Is it possible to configure a common paswword for all local admininstrator accounts in a windwos 2000 domain ?
Is it possible to configure a domainwide common password for all local administrator accounts in a windwos 2000/ 2003 domain .
So that all local administrators password will become same and administrator will be able to change all of them at a time if requried.
Any way to do this through in group policy ?
So that all local administrators password will become same and administrator will be able to change all of them at a time if requried.
Any way to do this through in group policy ?
There is a way, but it isn't manage at a Domain level because the domain isnt aware of the local user accounts. The way to do it is on every machine that goes out, (i did it in the image) create a user like admin001. Set the password.
Whala... But I don't have a solution to do it across a domain.
Whala... But I don't have a solution to do it across a domain.
Yes! You need to use Group Policy to configure Restricted Groups
Create a new user in AD Users and Computers
Create a GPO and navigate to
Computer Configuration\Windows Settings\Restricted Groups\
Right click, Add Group
Browse and add the Administrators group
Add your Username that you created before to the Administrators group
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Create a new user in AD Users and Computers
Create a GPO and navigate to
Computer Configuration\Windows Settings\Restricted Groups\
Right click, Add Group
Browse and add the Administrators group
Add your Username that you created before to the Administrators group
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Sorry goban, a couple of things. This will wipe out all other groups in Administrators.
Also, this doesn't change any passwords.
Also, SAMJEETM didn't say he had a username before.
SamJeetm, it is recommended you rename the local administrator account through GPO, and create a dumb user named administrator. Reason, Example: all XP machines from the factory have the sam SID for Administrator. Everyone knows that account exists on a machine, and can spoof the SID. Giving full access to the machine.
Also, this doesn't change any passwords.
Also, SAMJEETM didn't say he had a username before.
SamJeetm, it is recommended you rename the local administrator account through GPO, and create a dumb user named administrator. Reason, Example: all XP machines from the factory have the sam SID for Administrator. Everyone knows that account exists on a machine, and can spoof the SID. Giving full access to the machine.
you can change the Password of administrator :
-Create a batch file contains the following command :
net user Administrator <yourpassword>
-save it as .bat
-Put it in the Startup script [ computer configuration] in a new created GPO. Link this GPO to all OUs except the domain level and Domain controllers OU.
>>>>Notes:
1) The password in the .bat file will be plain text. It's better to use a 3rd party software to encrypt this file [ convert it to exe] so that no one will see the password.
2) It's not recommended to use the same password for desktop and servers.
-Create a batch file contains the following command :
net user Administrator <yourpassword>
-save it as .bat
-Put it in the Startup script [ computer configuration] in a new created GPO. Link this GPO to all OUs except the domain level and Domain controllers OU.
>>>>Notes:
1) The password in the .bat file will be plain text. It's better to use a 3rd party software to encrypt this file [ convert it to exe] so that no one will see the password.
2) It's not recommended to use the same password for desktop and servers.
Don't use Restricted Groups - this has nothing to do with changing passwords.
This article explains how to do it:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;272530
You can modify the script to use a variable for the computername that is read from a text file then loop through the command until it's complete.
It's relatively simple.
This article explains how to do it:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;272530
You can modify the script to use a variable for the computername that is read from a text file then loop through the command until it's complete.
It's relatively simple.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Huh?
Restricted Groups has 2 functions:
1) Enforce membership in Security Groups.
2) Adding groups to other groups.
There is no mechanism in place to change the local Admin password using Restricted Groups.
That article clearly does NOT state you can change passwords.
Restricted Groups has 2 functions:
1) Enforce membership in Security Groups.
2) Adding groups to other groups.
There is no mechanism in place to change the local Admin password using Restricted Groups.
That article clearly does NOT state you can change passwords.
Netman66 has the change password peice for sure.
But for now, you would have to use local "administrator" password. You could however, rename it at the very least.
Just remember, plain text... be careful.
But for now, you would have to use local "administrator" password. You could however, rename it at the very least.
Just remember, plain text... be careful.
here is a script to do it...
' This Script was created by Alex Biliski to add a specified Domain user or group
' to the Administrators local group on whatever computer this script is assigned
' to via a GPO in Active Directory (as a computer startup script)
' declare vairables
Dim Net
Dim Shell
Dim LocalGrp
Dim DomGrp
Dim Dom
Dim Username
Dim WSName
Dim Domain
Dim bLocalAdmin
Dim bAdminDirectlyAdded
'Initialize as a non-administrator
bLocalAdmin=False
bAdminDirectlyAdded=False
Set Shell=WScript.CreateObject("WScript.Shell")
Set Net=WScript.CreateObject("WScript.Network") 'get workstation network config
Username="IT" 'set the user or group to add
WSName=Net.ComputerName 'set workstation name
Domain="DOMAINNAME"
Set LocalGrp = GetObject("WinNT://"&WSName&"/Administrators") 'enter the local group
'Get the local administrator group object (ADSI)
'Check if the username is added directly to the local admin group
For Each LocalObj in LocalGrp.Members
If LCase(Username) = LCase(LocalObj.Name) Then bLocalAdmin=True
Next
If bLocalAdmin=False Then
'Check if the username is added directly to the GLOBAL admin group
Set DomGrp = GetObject("WinNT://" & Domain & "/Domain Admins,group")
'Check if the username is added directly to the GLOBAL admin group
For Each GlobalObj in DomGrp.Members
If LCase(Username) = LCase(GlobalObj.Name) Then
bLocalAdmin=True
bAdminDirectlyAdded=True
End If
Next
End If
' Add the user to the local Administrators group
If bLocalAdmin=False Then
set group = GetObject("WinNT://"&WSName&"/Administrators") 'enter the local group
'adds the group.
group.Add "WinNT://"& Domain &"/"& Username &""
End If
http://techrepublic.com.com/5208-11190-0.html;jsessionid=U9f7l7Xoctc0mM4yFr?forumID=40&threadID=179349&messageID=1828827