• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 61
  • Last Modified:

Run the script on all servers in an OU

I had this question after viewing Turn off Password never expires on local administrator account.

I have over 500 servers with Password Does Not Expire checked residing in a wide range of vLans. I don't have a vLan that I can run this script that will be able to access all servers - or even a large portion. So I was thinking maybe there is a way to use the same script but to alter it so I can apply a GPO, that runs the script, to a specific OU where the servers reside - would that be possible? The default domain level is set to Windows Server 2003.

Thanks
0
Matthew McGlone
Asked:
Matthew McGlone
  • 2
  • 2
1 Solution
 
Derek SouterITO Svc Delivery Cons IIICommented:
maybe i'm missing something, but why not simply apply a group policy to the servers that will remove the "password never expires" setting for the local administrator account?
Group_Policy_Change_Local_Admin.png
0
 
arnoldCommented:
It will not be advisable to do as the account will be locked out when the password expires. what you could do instead is use GPO and a startup script to set a new password, though it would be visible.
The other is to use psexec, powershell, vbscript to go through and set the local account password on a schedule.


The removal of the expire password, would effectively be having a master key for various location, but there is a process in place where the lock is removed and replaced, or sealed. following lack of use.
The result will be that when you need to use the local account to access the system to address an issue, the password would have expired and you will be without an ability to access it.

The local admin commonly should be disabled with another specifically designated for that purpose account setup.

My suggestion is to what is the end goal you wish to achieve, and then we can see whether the scripting of password changes on a regular interval might be a better approach to the issue.
0
 
Matthew McGloneSystems EngineerAuthor Commented:
Thank you for your help.
0
 
Matthew McGloneSystems EngineerAuthor Commented:
Hi Arnold - You said,. "It will not be advisable to do as the account will be locked out when the password expires".  That is true but I am running LAPS on all Domain computers. So I don't have to worry about the Administrator account locking.  Have you used LAPS.  it takes care of my BuiltIn Adminstrator "administration" - changes password at set intervals, deploys to all machines via GPO and has a utility to allow techs to pull the local password for any machine.  

I tested Derek Souter's idea and the GPO fails on logon. Here is information from the Application Log:  

Event ID 4908: The computer 'Administrator (built-in)' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy object did not apply because it failed with error code '0x8007055b Cannot perform this operation on built-in accounts.' This error was suppressed.

The odd thing is that when I set the GPO there a couple pre-populated BuiltIn accounts in the GPO including Administrator.  For this error to say 'Cannot perform this operation on built-in accounts' is contradictory to what the GPO says.  

Any ideas Derek/Arnold?

Thanks

Matt
0
 
arnoldCommented:
double check whether what you are trying to do with the GPO is what LAPS is also doing i.e. do you know the built-in administrator account and are you able to login using it? disable the account ....... which is commonly the advise and have a new designated ADMIn account whose SID can not be guessed .....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now