How to change the local administrator account password on clients across a domain

Hi,

We want to reset / update the password of the local administrator account on all of our Windows 7 / Windows 8 clients across a Server 2012 /2003 domain and I am wondering what would be the best / easiest way to do this?

I am assuming that it will probably something that can be done in Powershell or maybe even with Group Policy, but I am looking for the detail of how to do it, not just the method.

Who has done this before, what method did you use and what is the detail of the solution?

Thanks!


Jon
FriendlyITInfrastructure TeamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Good advice: Don't do it, don't use that account at all, disable it. Technically, there's no reason to keep this account active. If you see one, I'll be pleased to tell you what you should do instead and why.

But to address your question anyway, directly: https://code.msdn.microsoft.com/windowsapps/Solution-for-management-of-ae44e789 is the best choice.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
I would recommend not disabling this account completely but "renaming" it to something arbitrary that only your IT staff know.

Will.
0
McKnifeCommented:
That won't change the SID so many attack vectors remain.
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

Will SzymkowskiSenior Solution ArchitectCommented:
You can also reference the Active Directory Team Blog to accomplish this via Group Policy.
http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx

Will.
0
McKnifeCommented:
Yep, that leads to my link, by the way :)
0
Will SzymkowskiSenior Solution ArchitectCommented:
That won't change the SID so many attack vectors remain.
Realistically, how is someone going to get the SID of the administrator account. The only thing that is the same is -500 at the end of the SID. You would still need to get the rest of the SID as well and you would also still need the correct password.

Most people that use combo lists use usernames not SID's as no SID is the same across different domains.

Having the account renamed and a strong password is plenty to secure this account.

Will.
0
McKnifeCommented:
Realistically, he would need a local logon, that's all. There are many tools, user2sid/sid2user for example. Those retrieve your own SID and you just append 500 instead of your own suffix.
0
FriendlyITInfrastructure TeamAuthor Commented:
Thanks.  A lot to take in here.  I will digest what's been posted so far and come back with any questions.

One initial question is the appending 500 thing you mentioned McKnife.  Can you elaborate on that?

Are you saying that appending 500 to any SID makes user account into an admin?

If so, wouldn't that be an easy attack vector that we should be trying to lock down?
0
McKnifeCommented:
Hi.

"Are you saying that appending 500 to any SID makes user account into an admin?" nooo :)))
I was talking about 2 tools: sid2user.exe and user2sid.exe which enable standard users to lookup SIDs of known usernames (user2sid) or translate a known SID to an unknown username (SID2User). That makes hiding the admin account by renaming it quite ineffective from the perspective of an attacker THAT IS ALREADY logged on to the system, because, no matter what you rename the acount to, it will still end in -500. So you'll definitely find out the new name with ease.

Please tell us why you would like to change the passwords and not leave those accounts simply disabled as Microsoft recommends.
0
FriendlyITInfrastructure TeamAuthor Commented:
We often need to remotely connect to:-

Remote Registry, Computer Management, Hidden Drive Shares etc for administration.

If you can give me some different best practice for how to achieve this, then I would be happy to disable local admin accounts!
0
FriendlyITInfrastructure TeamAuthor Commented:
The other issues we have seen where local admin has been invaluable have been quick log on to machines (the Domain Admin pulls down a load of stuff from the network) and when machines have had networking issues and have not been able to contact the domain, this has been the only way to get on to those machines.

If you have alternative solutions to these situations then I am really open to disabling the local admin account!

(the next question would be how I do that en-mass!)
0
McKnifeCommented:
"We often need to remotely connect to: Remote Registry, Computer Management, Hidden Drive Shares etc for administration." - all of these can be accessed via RSAT. What you cannot do via RSAT (if any), you will be able to do via remote shell/psexec/remote powershell. You should not need to logon to those systems.
But if you do, you have two best, secure practices:
Either you use the local admin password changer extension I linked before, or you use extra domain accounts, one per system. The latter would require some script and a little management effort in the first place. I have outlined that in a german forum which you should  let google translate for you - see if you understand it: http://www.administrator.de/wissen/sicherer-umgang-supportkonten-262066.html
The scripted solution is better, I use it. Those accounts can access domain resources and get auto activated/deactivated just for the support use.
0
FriendlyITInfrastructure TeamAuthor Commented:
The Google Translate rendition of that page is not great and I am struggling to understand it.  Sorry....

(your English is much better than Google Translate!)
0
McKnifeCommented:
You don't have to understand the text. Just that much: I used AD accounts set as local admins, one per machine. If that one is compromised, so what - it is only good for one machine and my script deactivates it right after support is over. If you don't understand the code, you are better off with my first link anyway.
0
FriendlyITInfrastructure TeamAuthor Commented:
Thanks.  Some excellent wisdom and suggestions here for different ways of tackling the problem we actually had.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 8

From novice to tech pro — start learning today.