Avatar of mcpp661
mcpp661 asked on

Script to change local admin password

I'm looking for a VBScript that I can configure to run as a startup script in a GPO that will change the password of all the local admin accounts in the computers in my domain. The computers are a mix of XP Professional and Windows 2000 and unfortunately, the local admin accounts are not named the same on all computers. Really, it doesn't necessarily have to be a VBScript, it can be a batch file or anything else that will work effectively. I found a setting in Group Policy to rename the local admin account, but not to reset the local admin accounts. Please help. Thank you.
VB ScriptWindows Server 2003Windows Batch

Avatar of undefined
Last Comment
mcpp661

8/22/2022 - Mon
SOLUTION
rsivanandan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
RobSampson

Hi, a merge of these two articles will do the job for you:

How Can I Determine if the Local Administrator Account has been Renamed on a Computer?
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul05/hey0722.mspx

How Can I Change the Local Administrator Password on All My Computers?
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul07/hey0703.mspx

Regards,

Rob.
ASKER
mcpp661

Thanks guys. Unfortunately, I noticed, in the Microsoft article on how to determine if the local admin account has been renamed, that they state that the script won't work in Windows 2000? However I can remedy that by using Group Policy to rename the admin account. The other problem is that both articles you guys linked seems to require that the script be run manually by myself. The problem I have with that is that the users I work with tend to shutdown their computers even when instructed not to. That's why I would like to run the script as a startup script. After re-reading my original post I see that I failed to make that clear, so I apologize. However, it looks like I could take out several of the lines in the Microsoft script you sent me Rob and tailor it to my needs, is that correct? If I'm correct, can I just use the following lines in a startup script and will it work? What would I have to do with the "strComputer" variable? Will it work if I just remove that or do I have to use the computer name as well? If I'm correct, if I don't specify a domain or local computer name doesn't Windows assume a local account? If I need to use the computer name, how do I program VBScript to fetch the name and put it in the strComputer variable?. Thanks.

    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    objUser.SetPassword "x%tY7iu8%4f"
SOLUTION
fhmc

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
mcpp661

Would the "net user administrator password" command work as a startup script in a GPO instead of a logon script? This way I wouldn't have to leave an admin password in a batch file? My users aren't local admins.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mcpp661

Thanks guys, and thanks to shift-3 because I was concerned about leaving a password in a script but wasn't sure what to do. I'm not to scripting and am trying to soak up as much as I can. Anyhow, I'm going to try these suggestions and see which one works best. After I do this, I'll assign points to everyone who helped me. Thank you.
ASKER
mcpp661

Shift-3, I used the Microsoft Script Encoder as you recommended, but when I executed it I got the error message shown in the attachment. The script will not run as part of a Web page, it's going to be a startup script deployed via a GPO. I tested the script unencrypted and it works just fine, however, after I encrypted I get the error after I try to execute it. Can it be run in an encrypted state like that or must it be run unencrypted for it to work? Thanks.
error.JPG
Shift-3

I take it back.  The Script Encoder won't work for this purpose.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mcpp661

Is there anyway to encrypt this or would I have to use something to compile it into an .exe file so that snoopers can't read it?
RobSampson

OK, one other way to hide the password (although you must make sure that users cannot "write" to the script itself), is to use this:

    If WScript.Arguments.Count  = 1 Then
       strComputer = "."
       strAdminUsername = "Administrator"
       Set objUser = GetObject("WinNT://" & strComputer & "/" & strAdminUsername)
       objUser.SetPassword WScript.Arguments.Item(0)
   End If


and then when you actually apply the script in the GPO console, you have two boxes, one for the script name, another for parameters.  You can type the password here as a parameter and the script will pick it up when it runs.

I can't find any supporting evidence to say this is *not* secure, but as long as users cannot write to the login script, they can't change it to expose the password.  I guess the only other way they could find out the password is if they were running some sort of sniffer that can identify the command line that the script ran with.....

Shift-3, thanks for the GPO path....

Regards,

Rob.
ASKER
mcpp661

Actually, shift-3's suggestion of using the Microsoft Script Encoder does work, I just wasn't smart enough to realize that the output file needed to have a .vbe extension and not a .vbs extension. However, it's always good to know how to do something more than once. I'm going to close this problem and accept multiple solutions because I learned something from each of you. Thank you everyone.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
RobSampson

OK, yeah, forgot the VBE thing....I've been stung by that before too!

Rob.
ASKER
mcpp661

All solutions and responders were very helpful to me in this issue.