Solved

Unique Local Admin Account Password for each Workstation/Server

Posted on 2009-07-01
9
601 Views
Last Modified: 2012-06-21
I am using Group Policy Preferences to create a local user on each workstation (let's call it USERA), and want to assign a unique password per machine.  

I would like to somehow via script or another method, have a unique password set per machine, and have this password written to a UNC path.  I would also like this password to be automatically changed at an interval of 80 days, and have the file at the UNC path updated but maintain a password history.  Such as machinea.txt will retain the password history of the account for troubleshooting purposes if necessary.

Also, it would be nice if this change can be initiated somehow, incase we need to provide the password on a temp basis to a user.  After that need has passed, we can run the script to have the password changed and the file at the UNC path updated.

Users are not local admins, and the OS will be Vista/XP
0
Comment
Question by:rosederekj
  • 4
  • 3
9 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24772510

A logon script is out because the user would need permission, and they would then have access to the password store. However, you could probably do it with a computer startup script.

You could write the date the password was set to an attribute on the computer account in AD (perhaps give "Domain Computers"  rights to update the "comment" field on all computer accounts (that would be quite harmless).

The manual change would be easy enough, but it would be a separate script.

Chris
0
 

Author Comment

by:rosederekj
ID: 24772589
Sounds good and I agree that a login script is out.  Do you have any suggestions for the script code itself as a computer startup item?
0
 

Author Comment

by:rosederekj
ID: 24772726
This is actually almost perfect -

http://heidelbergit.blogspot.com/2009/05/unique-passwords-on-local-useraccounts.html

that script is a login script, and doesn't seem to work with Vista. However, it does meet all other requirements.  If you could please provide assistance in changing this from a login to a startup, I think that would work.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 70

Expert Comment

by:Chris Dent
ID: 24772728

Sure.

Lets see... haven't tested this... and it's friday afternoon so you'll have to excuse any glaring errors ;)

Feel free to insert your own password generator, this one is mine, it makes evil passwords for me.

Chris
Option Explicit
 

' Where to put the file with the password in

Const FILE_STORE = "\\Server\Share\"

' How often passwords should be reset in days

Const RESET_RATE = 80
 

Function GenerateRandomPassword

  ' Length of password to generate

  Const PASSWORD_LENGTH = 10

  ' Number of character groups required from arrCharSets (maximum 4)

  Const REQ_CHAR_SETS = 3
 

  Dim arrCharSets : arrCharSets = Array( _

              "ABCDEFGHIJKLMNOPQRSTUVWXYZ", _

              "abcdefghijklmnopqrstuvwzyz", _

              "0123456789", _

              "!$%^&*(){}[]-=_+,.<>'#@~/\?|")
 

  Dim booIsComplex : booIsComplex = False : Dim strHasSet

  Do Until booIsComplex = True And Len(strPassword) >= PASSWORD_LENGTH

    Randomize

    i = Round((UBound(arrCharSets)) * Rnd)

    strCharSet = arrCharSets(i)
 

    If booIsComplex = False And InStr(strHasSet, i) > 0 And _

        Len(strPassword) < (PASSWORD_LENGTH - Len(strHasSet)) Then

      ' Ignore this set. Looping for this condition

    Else

      If InStr(strHasSet, CStr(i)) = 0 Then strHasSet = strHasSet & CStr(i)

      If Len(strHasSet) >= REQ_CHAR_SETS Then booIsComplex = True

      End If
 

      Randomize

      i = Round(Len(strCharSet) * Rnd + 1)

      strPassword = strPassword & Mid(strCharSet, i, 1)

    End If

  Loop

  GeneratePassword = strPassword

End Function
 

'

' Main code

'
 

Dim objADSysInfo : Set objADSysInfo = CreateObject("ADSystemInfo")

Dim objComputer : Set objComputer = GetObject("LDAP://" & objADSysInfo.ComputerName)
 

Dim strComputerName : strComputerName = objComputer.Get("name")
 

' Get the time the password was last set from AD

Dim dtmLastSet : dtmLastSet = Date("01/01/1601 00:00:00")

On Error Resume Next

dtmLastSet = CDate(objComputer.Get("comment"))

On Error Goto 0
 

' If that's more than RESET_RATE days ago

If dtmLastSet < Date - RESET_RATE Then

  ' Make a password

  Dim strPassword : strPassword = GenerateRandomPassword
 

  ' Connect to the Administrator account on the local machine

  Dim objAdmin : Set objAdmin = GetObject("WinNT://./Administrator")

  ' Set a new password

  objAdmin.SetPassword strPassword
 

  ' Create a text file with the password in FILE_STORE

  Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")

  Dim objFile

  Set objFile = objFSO.OpenTextFile(FILE_STORE & strComputerName & ".txt", 2, True, 0)

  objFile.WriteLine strPassword
 

  ' Write the change date back to AD

  objComputer.Put "comment", CStr(Now)

  objComputer.SetInfo

End If

Open in new window

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24772745

heh see I did include a glaring error... fixed here...

Chris
Option Explicit

 

' Where to put the file with the password in

Const FILE_STORE = "\\Server\Share\"

' How often passwords should be reset in days

Const RESET_RATE = 80

 

Function GenerateRandomPassword

  ' Length of password to generate

  Const PASSWORD_LENGTH = 10

  ' Number of character groups required from arrCharSets (maximum 4)

  Const REQ_CHAR_SETS = 3

 

  Dim arrCharSets : arrCharSets = Array( _

              "ABCDEFGHIJKLMNOPQRSTUVWXYZ", _

              "abcdefghijklmnopqrstuvwzyz", _

              "0123456789", _

              "!$%^&*(){}[]-=_+,.<>'#@~/\?|")

 

  Dim booIsComplex : booIsComplex = False : Dim strHasSet

  Do Until booIsComplex = True And Len(strPassword) >= PASSWORD_LENGTH

    Randomize

    i = Round((UBound(arrCharSets)) * Rnd)

    strCharSet = arrCharSets(i)

 

    If booIsComplex = False And InStr(strHasSet, i) > 0 And _

        Len(strPassword) < (PASSWORD_LENGTH - Len(strHasSet)) Then

      ' Ignore this set. Looping for this condition

    Else

      If InStr(strHasSet, CStr(i)) = 0 Then strHasSet = strHasSet & CStr(i)

      If Len(strHasSet) >= REQ_CHAR_SETS Then booIsComplex = True

      End If

 

      Randomize

      i = Round(Len(strCharSet) * Rnd + 1)

      strPassword = strPassword & Mid(strCharSet, i, 1)

    End If

  Loop

  GenerateRandomPassword = strPassword

End Function

 

'

' Main code

'

 

Dim objADSysInfo : Set objADSysInfo = CreateObject("ADSystemInfo")

Dim objComputer : Set objComputer = GetObject("LDAP://" & objADSysInfo.ComputerName)

 

Dim strComputerName : strComputerName = objComputer.Get("name")

 

' Get the time the password was last set from AD

Dim dtmLastSet : dtmLastSet = Date("01/01/1601 00:00:00")

On Error Resume Next

dtmLastSet = CDate(objComputer.Get("comment"))

On Error Goto 0

 

' If that's more than RESET_RATE days ago

If dtmLastSet < Date - RESET_RATE Then

  ' Make a password

  Dim strPassword : strPassword = GenerateRandomPassword

 

  ' Connect to the Administrator account on the local machine

  Dim objAdmin : Set objAdmin = GetObject("WinNT://./Administrator")

  ' Set a new password

  objAdmin.SetPassword strPassword

 

  ' Create a text file with the password in FILE_STORE

  Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")

  Dim objFile

  Set objFile = objFSO.OpenTextFile(FILE_STORE & strComputerName & ".txt", 2, True, 0)

  objFile.WriteLine strPassword

 

  ' Write the change date back to AD

  objComputer.Put "comment", CStr(Now)

  objComputer.SetInfo

End If

Open in new window

0
 

Author Comment

by:rosederekj
ID: 24773317
Hmm, not bad.  I got a few errors when trying to run the script.  As is after modifying the path I got -

Line 37, Char 4, Error of Expected Statement code 800A0400

Commenting that out, I then get

Line 52, Char 18, Wrong number of arguments or invalid property assignment:  'Date'
Code:  800A01C2

Then I got a few other errors about line 23 variable "i" being undefined.

Is this occuring because we are switching from checking against a local .txt file date and time stamp vs. updating AD?  The local file is sufficient and I don't necessarily need the info stored in AD
0
 

Author Closing Comment

by:rosederekj
ID: 31598713
I was able to get this to work, thanks!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
google apps AD sync for groups 3 43
simple AD powershell script 8 76
active directory 5 47
Disable NetBios Seeting via Group Policy 6 34
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now