Unique Local Admin Account Password for each Workstation/Server

I am using Group Policy Preferences to create a local user on each workstation (let's call it USERA), and want to assign a unique password per machine.  

I would like to somehow via script or another method, have a unique password set per machine, and have this password written to a UNC path.  I would also like this password to be automatically changed at an interval of 80 days, and have the file at the UNC path updated but maintain a password history.  Such as machinea.txt will retain the password history of the account for troubleshooting purposes if necessary.

Also, it would be nice if this change can be initiated somehow, incase we need to provide the password on a temp basis to a user.  After that need has passed, we can run the script to have the password changed and the file at the UNC path updated.

Users are not local admins, and the OS will be Vista/XP
rosederekjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

A logon script is out because the user would need permission, and they would then have access to the password store. However, you could probably do it with a computer startup script.

You could write the date the password was set to an attribute on the computer account in AD (perhaps give "Domain Computers"  rights to update the "comment" field on all computer accounts (that would be quite harmless).

The manual change would be easy enough, but it would be a separate script.

Chris
0
rosederekjAuthor Commented:
Sounds good and I agree that a login script is out.  Do you have any suggestions for the script code itself as a computer startup item?
0
rosederekjAuthor Commented:
This is actually almost perfect -

http://heidelbergit.blogspot.com/2009/05/unique-passwords-on-local-useraccounts.html

that script is a login script, and doesn't seem to work with Vista. However, it does meet all other requirements.  If you could please provide assistance in changing this from a login to a startup, I think that would work.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Chris DentPowerShell DeveloperCommented:

Sure.

Lets see... haven't tested this... and it's friday afternoon so you'll have to excuse any glaring errors ;)

Feel free to insert your own password generator, this one is mine, it makes evil passwords for me.

Chris
Option Explicit
 
' Where to put the file with the password in
Const FILE_STORE = "\\Server\Share\"
' How often passwords should be reset in days
Const RESET_RATE = 80
 
Function GenerateRandomPassword
  ' Length of password to generate
  Const PASSWORD_LENGTH = 10
  ' Number of character groups required from arrCharSets (maximum 4)
  Const REQ_CHAR_SETS = 3
 
  Dim arrCharSets : arrCharSets = Array( _
              "ABCDEFGHIJKLMNOPQRSTUVWXYZ", _
              "abcdefghijklmnopqrstuvwzyz", _
              "0123456789", _
              "!$%^&*(){}[]-=_+,.<>'#@~/\?|")
 
  Dim booIsComplex : booIsComplex = False : Dim strHasSet
  Do Until booIsComplex = True And Len(strPassword) >= PASSWORD_LENGTH
    Randomize
    i = Round((UBound(arrCharSets)) * Rnd)
    strCharSet = arrCharSets(i)
 
    If booIsComplex = False And InStr(strHasSet, i) > 0 And _
        Len(strPassword) < (PASSWORD_LENGTH - Len(strHasSet)) Then
      ' Ignore this set. Looping for this condition
    Else
      If InStr(strHasSet, CStr(i)) = 0 Then strHasSet = strHasSet & CStr(i)
      If Len(strHasSet) >= REQ_CHAR_SETS Then booIsComplex = True
      End If
 
      Randomize
      i = Round(Len(strCharSet) * Rnd + 1)
      strPassword = strPassword & Mid(strCharSet, i, 1)
    End If
  Loop
  GeneratePassword = strPassword
End Function
 
'
' Main code
'
 
Dim objADSysInfo : Set objADSysInfo = CreateObject("ADSystemInfo")
Dim objComputer : Set objComputer = GetObject("LDAP://" & objADSysInfo.ComputerName)
 
Dim strComputerName : strComputerName = objComputer.Get("name")
 
' Get the time the password was last set from AD
Dim dtmLastSet : dtmLastSet = Date("01/01/1601 00:00:00")
On Error Resume Next
dtmLastSet = CDate(objComputer.Get("comment"))
On Error Goto 0
 
' If that's more than RESET_RATE days ago
If dtmLastSet < Date - RESET_RATE Then
  ' Make a password
  Dim strPassword : strPassword = GenerateRandomPassword
 
  ' Connect to the Administrator account on the local machine
  Dim objAdmin : Set objAdmin = GetObject("WinNT://./Administrator")
  ' Set a new password
  objAdmin.SetPassword strPassword
 
  ' Create a text file with the password in FILE_STORE
  Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
  Dim objFile
  Set objFile = objFSO.OpenTextFile(FILE_STORE & strComputerName & ".txt", 2, True, 0)
  objFile.WriteLine strPassword
 
  ' Write the change date back to AD
  objComputer.Put "comment", CStr(Now)
  objComputer.SetInfo
End If

Open in new window

0
Chris DentPowerShell DeveloperCommented:

heh see I did include a glaring error... fixed here...

Chris
Option Explicit
 
' Where to put the file with the password in
Const FILE_STORE = "\\Server\Share\"
' How often passwords should be reset in days
Const RESET_RATE = 80
 
Function GenerateRandomPassword
  ' Length of password to generate
  Const PASSWORD_LENGTH = 10
  ' Number of character groups required from arrCharSets (maximum 4)
  Const REQ_CHAR_SETS = 3
 
  Dim arrCharSets : arrCharSets = Array( _
              "ABCDEFGHIJKLMNOPQRSTUVWXYZ", _
              "abcdefghijklmnopqrstuvwzyz", _
              "0123456789", _
              "!$%^&*(){}[]-=_+,.<>'#@~/\?|")
 
  Dim booIsComplex : booIsComplex = False : Dim strHasSet
  Do Until booIsComplex = True And Len(strPassword) >= PASSWORD_LENGTH
    Randomize
    i = Round((UBound(arrCharSets)) * Rnd)
    strCharSet = arrCharSets(i)
 
    If booIsComplex = False And InStr(strHasSet, i) > 0 And _
        Len(strPassword) < (PASSWORD_LENGTH - Len(strHasSet)) Then
      ' Ignore this set. Looping for this condition
    Else
      If InStr(strHasSet, CStr(i)) = 0 Then strHasSet = strHasSet & CStr(i)
      If Len(strHasSet) >= REQ_CHAR_SETS Then booIsComplex = True
      End If
 
      Randomize
      i = Round(Len(strCharSet) * Rnd + 1)
      strPassword = strPassword & Mid(strCharSet, i, 1)
    End If
  Loop
  GenerateRandomPassword = strPassword
End Function
 
'
' Main code
'
 
Dim objADSysInfo : Set objADSysInfo = CreateObject("ADSystemInfo")
Dim objComputer : Set objComputer = GetObject("LDAP://" & objADSysInfo.ComputerName)
 
Dim strComputerName : strComputerName = objComputer.Get("name")
 
' Get the time the password was last set from AD
Dim dtmLastSet : dtmLastSet = Date("01/01/1601 00:00:00")
On Error Resume Next
dtmLastSet = CDate(objComputer.Get("comment"))
On Error Goto 0
 
' If that's more than RESET_RATE days ago
If dtmLastSet < Date - RESET_RATE Then
  ' Make a password
  Dim strPassword : strPassword = GenerateRandomPassword
 
  ' Connect to the Administrator account on the local machine
  Dim objAdmin : Set objAdmin = GetObject("WinNT://./Administrator")
  ' Set a new password
  objAdmin.SetPassword strPassword
 
  ' Create a text file with the password in FILE_STORE
  Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
  Dim objFile
  Set objFile = objFSO.OpenTextFile(FILE_STORE & strComputerName & ".txt", 2, True, 0)
  objFile.WriteLine strPassword
 
  ' Write the change date back to AD
  objComputer.Put "comment", CStr(Now)
  objComputer.SetInfo
End If

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rosederekjAuthor Commented:
Hmm, not bad.  I got a few errors when trying to run the script.  As is after modifying the path I got -

Line 37, Char 4, Error of Expected Statement code 800A0400

Commenting that out, I then get

Line 52, Char 18, Wrong number of arguments or invalid property assignment:  'Date'
Code:  800A01C2

Then I got a few other errors about line 23 variable "i" being undefined.

Is this occuring because we are switching from checking against a local .txt file date and time stamp vs. updating AD?  The local file is sufficient and I don't necessarily need the info stored in AD
0
rosederekjAuthor Commented:
I was able to get this to work, thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.