[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 738
  • Last Modified:

Reset local admin accounts with unique passwords on 40 servers

I have a list (could be text or excel) of 40 servers on one domain, along with the current and new local admin passwords for each server.  I need to reset the local machine admin password on each server.  Each password will be unique to that specific server.

I'm looking for a batch script or utility that can connect to each server, change the password, and log a file with the results (showing servername, whether the password was reset, and if so, what the new password is).
0
Steve
Asked:
Steve
  • 7
  • 7
  • 3
  • +5
1 Solution
 
OsmozeCommented:
you can build you script based on this articl :

http://technet.microsoft.com/fr-fr/library/bb742536(en-us).aspx

it's for win 2000 but stil valable for any win server  !


also this is a nother way to achieve this . if you need more explanation you re welcom .

 Create a batch file pass.bat (or whatever) with the content

 net user administrator %1 (%1 describes the first entry in the parameter
 field)

 OR

 net user %1 %2 (you also can use %1 %2 and add "Username Password" in the
 parameter field (be aware of the space))

 Add this file via GPO to the Default domain policy>Computer configuration>Windows
 settings>Scripts, STARTUP script and set the parameter with the new parameters
 you like to use. At the next time the workstation starts up in the domain
 the local admin password get changed.
 The password will only be visible for your domain admins not for the normal
 user even if he has adminpak installed. The GPO he can not open as a normal
 user.
0
 
xylogCommented:
Addusers can do this with a simple for loop:

AddUsers Automates Creation of a Large Number of Users -> http://support.microsoft.com/kb/199878

for /f %i in (servers.txt) do addusers /c users.txt \\%i

where users.txt looks like this:

[Users]
User Name,Full name, Password, Description, HomeDrive, Homepath, Profile, Script
0
 
canaliCommented:
OSmoze: If your user are expert enought, ANY AUTHENTICATED USERS  can see the sysvol folder where reside pass.bat and the scripts.ini with the password inside ! Parameters are saved inside this ini... Usually GPO folder are visible for  "Authenticated Users" and this is true for the  folder and files of the "Default domain policy" too !!!

My advice is read carefully the article above and pay attention to folder and file permission:
 
"If you assign your permissions correctly and remove the Authenticated Users group's Read and Apply Group Policy permissions as "Adding Startup Scripts to GPOs" describes, GPO Administrators will be the only users who can access the password."


Another  way to change local admin pwd using psexec
::changeLApwd.cmd
:: limitation:  some characters aren't permitted in password inside a batch
:: Attention ex. My New Passwod the new adminpassword will be My
::ex %My%%NewPass%word password will be word
::  $Z0rr0!0RR0z will be  $Z0rr0!0RR0z
for /f %%S in ('type servers.txt') do psexec \\%%S net user administrator myNewPassword
::end batch

Bye Gastone
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
ReneGeCommented:
@Config_Dot_Sys

Please tell us if you are still on this.

Thanks
0
 
SteveAuthor Commented:
Sorry - I got sent out of town for a few days and forgot all about this question.  I still need the answer, though, so I'll keep it open.

I was looking for an actual batch file that would accomplish this for me.  If anyone could post one up that I would be able to run from a domain admin account on the same domain as all of the servers, that's what I'm looking for.
0
 
xylogCommented:
Place these four files in the same directory and run createusers to execute the batch file:

The addusers utility -> http://www.dynawell.com/download/reskit/microsoft/win2000/addusers.zip

servers.txt -> list of servers

users.txt
======
[Users]
User Name,Full name, Password, Description, HomeDrive, Homepath, Profile, Script

createusers.bat
===========
for /f %%i in (servers.txt) do addusers /c users.txt \\%%i
0
 
SteveAuthor Commented:
I don't want to add users - all I want to do is reset the local admin password on these servers.
0
 
SteveAuthor Commented:
As far as I can tell, the suggestions made so far aren't meeting my needs.  I need a batch script that will take input from a text file.  the file will consist of a single line for each server in my data center.  Each line should look something like "servername accountname current password newpassword".  It doesn't have to look exactly like that, but that's what I'm envisioning.  I want to run the script on a command line, using a domain admin account.

I know I've seen something like this before, but it was years ago and I can't remember how it was done - other than that it was a batch file.
0
 
arnoldCommented:
Create a GPO that you would deploy to the computer's OU, which will run the net user <username> password

You could use the for loop provided by several posters.
That read the data from a text file, you can make textfiles for each system, and then use the "%computername%.txt" as the input to the for loop when it runs.
This way each computer will access and perform the tasks based on the computer specific text file. To avoid having the process continously run on every startup, you could at the conclusion of the process create a file that will be used as a check on whether this process has previously run on this system so it does not need to run again.

a VBS script with the data in a database might be an option, it all depends on how quickly you want to implement this, and whether this will be a repeating cycle.




0
 
Ron MalmsteadInformation Services ManagerCommented:
I found this...looks like it might work for you.
http://www.visualbasicscript.com/Script-to-Change-Local-Administrator-Password-m2957.aspx

Dim fso, user, ts, temp, src
Set fSO = CreateObject("Scripting.FileSystemObject")
src = "c:\servers.txt"

If Not fso.FileExists(src) Then
WScript.Echo "File: " & src & " cannot be found."
WScript.Quit
End If

Set ts = fso.OpenTextFile(src,1)
Do Until ts.AtEndOfStream
temp = ts.ReadLine
Set user = GetObject("WinNT://" & temp & "/Administrator,user")
user.setpassword "new_password"
user.setinfo
Loop

0
 
ReneGeCommented:
Here you go

@ECHO OFF

REM THIS WILL RESET THE LOCAL ADMINISTRATOR'S PASSWORD OF ALL PCs
REM THAT IS OUTPUT BY THE COMMAND "NET VIEW"
REM IN THE COMMAND  NET USER Administrator password
REM REPLACE THE WORK PASSWORD BY THE DESIRED PASSWORD

SETLOCAL enabledelayedexpansion

IF EXIST "%~n0.log" DEL "%~n0.log"

FOR /F %%a IN ('NET VIEW ^| FINDSTR -i "\\"') DO (
	ECHO RESETTING LOCAL ADMIN PASSWORD OF: %%a
	PSEXEC %%a NET USER | Findstr -i "Administrator" && PSEXEC %%a NET USER Administrator password
	ECHO !errorlevel! %%a>>"%~n0.log"
)

PAUSE
EXIT

Open in new window

0
 
younghvCommented:
Just a minor comment on the suggestion from ReneGe:
You do NOT need to provide the "Administrator" user name and password while using PSEXEC - if the account running the command has Admin Rights on the servers (or any targeted host).

By default, PSEXEC uses the privs of the account running the command.
0
 
SteveAuthor Commented:
I should probably give some background for this request: I am one of several technicians that are working on projects for multiple locations.  We take servers fresh out of the box, rack and cable them, load pre-made images, and configure 3rd party software.  Each project will have up to 40 or so servers in several racks.  To make our work faster/easier, we have a simple password for each server until the last day, when we change all local administrator passwords to match what the client requests.  I would like to sit down at one of these servers, log on with a domain admin account, go to command line, and execute a batch script which will reset the admin passwords on each server listed in a text file.  I would re-use this script for each project we work on - and would want to only have to change the text file that contains the servernames and new admin passwords.

Arnold: I would prefer to use a batch script that I can just run from a command line.

xuserx2000: I am not familiar with visual basic at all. I have done some work in the past with simple batch files, but that's about the extent of my ability.  I wouldn't know the first thing about how to get that script to work.

ReneGe: That is about the closest I've seen so far to what I am looking for - but I would like to specify the computer names in a text file, rather than making a blanket Net View call.  Any chance you could alter what you have to enable your script to look in a text file for a servername, running the change password routine, and then going on to the next servername in the file, etc?

Thanks, everyone, for the help so far.  This will save us a ton of time, not to mention carpal tunnel from logging on to so many servers and manually resetting the passwords!
0
 
younghvCommented:
This link will show you how to call a text file containing a list of remote systems.
http://www.experts-exchange.com/Q_22397407.html

Instead of the "exe" that example shows, you would be calling the BAT command defined by ReneGe.
0
 
arnoldCommented:
simple enough, using the for loop the others are provided, that will read entries from a text file.
and then execute

if the text file contains the entries as
username password
you could run through the for loop
net user %line%

Since this is a new setup, you would need to use /add to add the user with the password.

I'm puzzled by your comment given you seemingly want to avoid the need to login into each system.
using psexec which another commenter posted you can sit at one location and then run
psexec.exe /s \\remoteserver "\\server\share\batchfile.bat \\server\share\passwordfile.txt"  

If this is a domain environment, what is the point for having local administrative users outside the administrator replacement account as a failsafe?
0
 
ReneGeCommented:

@ECHO OFF

REM THIS WILL RESET THE LOCAL ADMINISTRATOR'S PASSWORD OF ALL PCs
REM THAT IS OUTPUT BY THE COMMAND "NET VIEW"
REM IN THE COMMAND  NET USER Administrator password
REM REPLACE THE WORK PASSWORD BY THE DESIRED PASSWORD

REM IN serverlist.txt, ENTER ONE SERVER NAME PER LINE AS \\SERVER1

SETLOCAL enabledelayedexpansion

IF EXIST "%~n0.log" DEL "%~n0.log"

FOR /F "usebackq delims=" %%a IN ("serverlist.txt") DO (
	ECHO RESETTING LOCAL ADMIN PASSWORD OF: %%a
	PSEXEC %%a NET USER | Findstr -i "Administrator" && PSEXEC %%a NET USER Administrator password
	ECHO !errorlevel! %%a>>"%~n0.log"
)

PAUSE
EXIT

Open in new window

0
 
ReneGeCommented:
And if you wish to list the servers within the batch file...
@ECHO OFF

REM THIS WILL RESET THE LOCAL ADMINISTRATOR'S PASSWORD OF ALL PCs
REM LISTED IN THE "Server." ARRAY.
REM IN THE COMMAND  NET USER Administrator password
REM REPLACE THE WORD PASSWORD BY THE DESIRED PASSWORD

SETLOCAL enabledelayedexpansion

IF EXIST "%~n0.log" DEL "%~n0.log"

SET Server.1=\\server1
SET Server.2=\\server2
SET Server.3=\\server3

FOR /F "tokens=2 delims==" %%A IN ('SET Server.') DO (
	ECHO RESETTING LOCAL ADMIN PASSWORD OF: %%a
	PSEXEC %%a NET USER | Findstr -i "Administrator" && PSEXEC %%a NET USER Administrator password
	ECHO !errorlevel! %%a>>"%~n0.log"
)


PAUSE
EXIT

Open in new window

0
 
SteveAuthor Commented:
Perhaps I'm not understanding this process very well, or I'm not explaining what I'm doing very well.

I attempted to run the batch file provided by ReneGe above, with one server name (SERVER1) entered in the SERVERLIST.TXT file.  The RESETPW.LOG file that it generated provided the following entry:
0 \\SERVER1

While the script was running, it appeared to perform the command twice.  Once with errorlevel 1, and a second time with errorlevel 0.

The Administrator passwords that I am wanting to reset are for accounts that already exist.  Not sure if that was obvious from my previous entries or not.
0
 
SteveAuthor Commented:
Sorry - clicked the submit button before I was finished typing.

The script did not change the password on the remote server.
0
 
ReneGeCommented:
-"0" neans that the "NET USER" operation was successfull.
-I was understanding that you wanted to reset local admin accounts after joining them to the domain.  From the server you are running this batch file, are you logged on as a user having admin rights on the remote servers?
-You may need to manually run PSEXEC on remote servers at least once so you can accept the EULA.
-I removed the first PSEXEC that verified if the remote Administrator account exist.
@ECHO OFF

REM THIS WILL RESET THE LOCAL ADMINISTRATOR'S PASSWORD OF ALL PCs
REM LISTED IN THE "Server." ARRAY.
REM IN THE COMMAND  NET USER Administrator password
REM REPLACE THE WORD PASSWORD BY THE DESIRED PASSWORD

SETLOCAL enabledelayedexpansion

IF EXIST "%~n0.log" DEL "%~n0.log"

SET Server.1=\\server1
SET Server.2=\\server2
SET Server.3=\\server3

FOR /F "tokens=2 delims==" %%A IN ('SET Server.') DO (
	ECHO RESETTING LOCAL ADMIN PASSWORD OF: %%a
	PSEXEC %%a NET USER Administrator password
	ECHO ErrorCode:[!errorlevel!] %%a>>"%~n0.log"
)


PAUSE
EXIT

Open in new window

0
 
SteveAuthor Commented:
Works as advertised.  Thanks for the valuable input from all of the experts.  This answer met my request to the letter.
0
 
ReneGeCommented:
Glad I could help
0
 
younghvCommented:
I'm glad that it worked, but it is never a good idea to send any admin username/password in the clear across your network wire.
0
 
ReneGeCommented:
younghv has a good point here.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 7
  • 7
  • 3
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now