We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Group Policy Startup Script to Change Administrators Password

Medium Priority
687 Views
Last Modified: 2012-05-06
I wish to create a startup script to change the local administrator's password on all the workstations in the building.  I wish to use

net user administrator newpassword

I don't want users to be able to see or get at the password.  How can I accomplish this without them seeing it?

Thanks
Comment
Watch Question

DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Here's a script that you can use instead of a logon script   :-)

'==========================================================================
'
' NAME:        Local Admin Password Change.vbs    
'
' AUTHOR:    Gene Magerr
' EMAIL:    genemagerr@hotmail.com
'
' COMMENT:    This script will change the local administrators password
'            on all of the computers in the c:\servers.txt file.
'
' VERSION HISTORY:
' 1.0   01/17/2008  Initial release
' 1.1   01/24/2008    Did some work on the formatting in email.
'
'==========================================================================
Option Explicit
On Error Resume Next
'==========================================================================
' VARIABLE DECLARATIONS
'==========================================================================
Dim objShell, objNetwork, objFSO, TestMode, strPassword, objTextFile
Dim strComputers, arrComputer, strComputer, objUser, arrComputers
Dim objMessages, objMessage, objEmail, strMessage, AdminName
 
Set objShell = CreateObject("WScript.Shell")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set objFSO = CreateObject("Scripting.FilesystemObject")
 
'==========================================================================
' STATIC VARIABLE ASSIGNMENTS
'==========================================================================
Const FOR_READING = 1, FOR_WRITING = 2, FOR_APPENDING = 8
 
'==========================================================================
' MAIN SCRIPT CODE
'==========================================================================
strPassword = InputBox("Please enter a new password:", "Local administrators password change.")
 'Check that user entered a password
If strPassword = "" Then
    WScript.Quit
End If
 
If Not objFSO.FileExists("c:\messages.txt") Then
objFSO.CreateTextFile("c:\messages.txt")
End If
 
Set objMessages = objFSO.OpenTextFile("c:\messages.txt", 2)
Set objTextFile = objFSO.OpenTextFile("c:\servers.txt", 1)
objMessages.WriteLine(Now & vbTab & "Starting script..." & vbCrLf)
 
strComputers = objTextFile.ReadAll
objTextFile.Close
 
arrComputers = Split(strComputers, vbCrLf)
    
 'Enumerate each server in the text file
For Each strComputer In arrComputers
 
If Len(strComputer) > 0 Then
 
On Error Resume Next
Set objUsers = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2").ExecQuery( _
"Select Name, SID from Win32_UserAccount WHERE Domain = '" & strComputer & "'")
 
For Each objUser In objUsers
    If Left(objUser.SID, 9) = "S-1-5-21-" And Right(objUser.SID, 4) = "-500" Then
AdminName = objUser.Name
 
Exit For
    End If
Next
 
'Connect to Administrator acccount on server using WinNT provider
    
    Set objUser = GetObject("WinNT://" & strComputer & "/" & AdminName & ",user")
    
     'Check if we connected to the user object successfully
    If Err.Number <> 0 Then
    On Error Goto 0
         'Display an error message & clear the error
        objMessages.WriteLine Now & vbTab & "Unable to connect to Administrator user object on server " & strComputer
        objMessages.WriteLine "Error #" & Err.Number
        objMessages.WriteLine "Error Message : " & Err.Description
        objMessages.WriteLine "========================================================================"
        Err.Clear
    Else    
    
 'Change the password
        objUser.SetPassword strPassword
        objUser.SetInfo ' Save Changes
 
    If Err.Number <> 0 Then
    On Error Goto 0
        'Display an error message & clear the error
        objMessages.WriteLine Now & vbTab & "Unable to change the Administrator password on server " & strComputer
        objMessages.WriteLine "Error #" & Err.Number
        objMessages.WriteLine "Error Message : " & Err.Description
        objMessages.WriteLine "========================================================================"
        Err.Clear
    
    Else
        objMessages.WriteLine Now & vbTab & "Password successfully changed on: " & strComputer
        objMessages.WriteLine "========================================================================"
    End If
  End If
End If
Next
 
objMessages.WriteLine vbCrLf & Now & vbTab & "Ending script..."
objMessages.Close
 
Set objMessages = objFSO.OpenTextFile("c:\messages.txt", 1)
strMessage = objMessages.ReadAll
objMessages.Close
 
'WScript.Echo strMessage
 
Set objEmail = CreateObject("CDO.Message")
objEmail.Sender = "sysadmins@rand.org"
objEmail.To = "gmagerr@rand.org"
objEmail.Subject = "Local Administrators Password Change Results"
 
'objEmail.TextBody = objEmail.TextBody & "This is the password I was prompted for. " & strPassword & vbCrLf & vbCrLf
objEmail.TextBody = objEmail.TextBody & strMessage
objEmail.TextBody = objEmail.TextBody & "Script ran on " & Date()
 
objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mail.rand.org"
objEmail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
'objEmail.CC = "engay@rand.org"
 
objEmail.Send
Set objEmail = Nothing
 
'==========================================================================
' SUBS AND FUNCTIONS
'==========================================================================

Open in new window

CERTIFIED EXPERT
Top Expert 2013
Commented:
Have you used group policy preferences yet?  You can do it that way and the passwords are encrypted.  More on that feature here:
http://www.frickelsoft.net/blog/?p=116
 
So a couple years ago this same issue was discussed over at the activedir.org list.
http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/20928/view/topic/Default.aspx
One of my all time favorite discussions there; lots of great info from some of the top AD guys.
 

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT

Commented:
You can also use the net dom command and create a batch file like this:
  1. create a text file containing all of the computers you want to perform the task on remotely
  2. use the following command below to rename the computers
  3. For a full explanation of the netdom command, go here http://support.microsoft.com/kb/298593

FOR /F %1 IN (userlist.txt) do "netdom userd:domainname\administrator_id  /passwordd:* /usero:local_admin*

Open in new window

Author

Commented:
mkline71,

Good info.  I will try it.  Question:  I have renamed the local administrator accounts so although through the above I can only select administrator will it still work on the renamed account?
CERTIFIED EXPERT
Top Expert 2013

Commented:
It should still work because even though you renamed the account the SID is the same.  I'll try and test it out tomorrow to verify for you.
Thanks
MIke

Author

Commented:
MKLINE71,

I was not able to get it to do anything on my XP SP3 test box.  ANy idea why?  I made other changed in the same GP and they were applied.
CERTIFIED EXPERT
Top Expert 2013

Commented:
No, not sure, so only the SP3 box is having issues?  It worked fine on the SP2 boxes?
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.