Run the script on all servers in an OU

I had this question after viewing Turn off Password never expires on local administrator account.

I have over 500 servers with Password Does Not Expire checked residing in a wide range of vLans. I don't have a vLan that I can run this script that will be able to access all servers - or even a large portion. So I was thinking maybe there is a way to use the same script but to alter it so I can apply a GPO, that runs the script, to a specific OU where the servers reside - would that be possible? The default domain level is set to Windows Server 2003.

Matthew McGloneSystems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Derek SouterITO Svc Delivery Cons IIICommented:
maybe i'm missing something, but why not simply apply a group policy to the servers that will remove the "password never expires" setting for the local administrator account?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It will not be advisable to do as the account will be locked out when the password expires. what you could do instead is use GPO and a startup script to set a new password, though it would be visible.
The other is to use psexec, powershell, vbscript to go through and set the local account password on a schedule.

The removal of the expire password, would effectively be having a master key for various location, but there is a process in place where the lock is removed and replaced, or sealed. following lack of use.
The result will be that when you need to use the local account to access the system to address an issue, the password would have expired and you will be without an ability to access it.

The local admin commonly should be disabled with another specifically designated for that purpose account setup.

My suggestion is to what is the end goal you wish to achieve, and then we can see whether the scripting of password changes on a regular interval might be a better approach to the issue.
Matthew McGloneSystems EngineerAuthor Commented:
Thank you for your help.
Matthew McGloneSystems EngineerAuthor Commented:
Hi Arnold - You said,. "It will not be advisable to do as the account will be locked out when the password expires".  That is true but I am running LAPS on all Domain computers. So I don't have to worry about the Administrator account locking.  Have you used LAPS.  it takes care of my BuiltIn Adminstrator "administration" - changes password at set intervals, deploys to all machines via GPO and has a utility to allow techs to pull the local password for any machine.  

I tested Derek Souter's idea and the GPO fails on logon. Here is information from the Application Log:  

Event ID 4908: The computer 'Administrator (built-in)' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy object did not apply because it failed with error code '0x8007055b Cannot perform this operation on built-in accounts.' This error was suppressed.

The odd thing is that when I set the GPO there a couple pre-populated BuiltIn accounts in the GPO including Administrator.  For this error to say 'Cannot perform this operation on built-in accounts' is contradictory to what the GPO says.  

Any ideas Derek/Arnold?


double check whether what you are trying to do with the GPO is what LAPS is also doing i.e. do you know the built-in administrator account and are you able to login using it? disable the account ....... which is commonly the advise and have a new designated ADMIn account whose SID can not be guessed .....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.