Administrator account of Windows 10 dont't change.

I have some computers Windows 10 and the major part is Windows 7.
DC is Server 2008.
When we change the password of administrator, all computers wiht WIndows 7 changed, but with Windows 10 didn't change nothing.
All user administrator must has the same password.
Can you help me
Thanks - Fabiano (Brazil)
Fabiano Vidal RochaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael MachieIT SupervisorCommented:
Hi, we need clarification.

1) When changing a User account password on the DC it does not change on the local computers itself.
2) When you log into a PC where the Domain Admin can use the Domain Admin credentials to log in, then it will work as long as the PC can communicate with the Domain Controller.
3) If the PC cannot contact the Domain Controller at the time of logon, then the changed Domain Admin password will not work.
4) If it previously allowed you to log in via a Domain Admin credential you should try the old password to see if access is granted. If so, your PC is not talking to the DC for the updated authentication and is instead using cached credentials.
5) If your PC is not Domain Connected (not a Domain Computer), the Domain Admin credential will never work, only LOCAL Admin credentials will using the local admin account.

It appears to me that your Win10 PCs are not Domain Connected and your Win7 machines are. Please confirm.

Questions:
1) Are your Win10 PCs connected to the Domain?
2) When logging in fails, do you receive a message of any type other than the credentials failed?
Such as, "Communication with the Domain Controller cannot be made" or, "Domain Services unavailable" or, "The trust relationship between the computer and the Domain Controller is not available"?
3) Are you changing the Local Admin account password on the PCs or are you changing the Domain Admin password on the DC?

Please advise.
0
Fabiano Vidal RochaAuthor Commented:
Hello, thanks for helping me....
All the computers is in domain, I need to change the password of the local administrator account.
For example, if I change the password, and put to change the password, it's ok, the GPO send this change, but if in GPO I change de password of local admin, nothing happen. Windows 7 computers change normally, but Windows 10 computer mantain the same password.
0
Michael MachieIT SupervisorCommented:
ok, thanks for clarifying - I was not on the same page as you and now am..

You are using Windows Server GPO to force the local admin password change on Win10. I believe the registry settings are different for Win10 versus Win7 so it may be that another registry key edit needs to be added to change for Win10. I have seen similar issues in Win10 vs. Win7.

I will dig in a bit more and in the meantime, are the Win10 machines in an OU that has this GPO linked to it? You may have checked that but to be sure run a GPRESULT to verify the WIN10 machine is pulling the policy.

Open CMD
type: gpresult /r  [ENTER]
- This will display all of the GPOs that this machine has pulled and applied. If the GPO you created for this purpose is not showing under the section "Applied Group Policy Objects" then that is your problem and will need to dig into that. If not visible, start by testing the connection and force the GP Policies to update.

On a Win10 machine:
CMD
gpupdate /force  [ENTER]
It will display a message that it successfully updates or it did not.

- If not, then that is your problem - you cannot update policies.
- If it succeeds, check 'gpresult /r' again and verify the policy has applied.
- If it updates policy but this policy does not apply, then verify the GPO is linked to the OU where the PC resides or move the PC into an OU that is linked.
- You also want to make sure the GPO is able to be read by Authenticated Users:
Picture of READ access permissions to the GPO by Authenticated Users

Let me know.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

David Johnson, CD, MVPOwnerCommented:
on the Windows 7 machines you are missing a few updates. Microsoft disabled the setting of local passwords via group policy a long time ago
https://www.experts-exchange.com/questions/29073839/GPO-failed-to-change-local-admin-account-password.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
You should NOT ever use the Local Administrator account. That was disabled and locked down in Windows 10.

Do not use this.

Make a different user name as local admin account and make it member of Administrators Group. Then it should work as you want.
0
McKnifeCommented:
Hi Fabiano.

You did not share the method you are using.
->you can enforce password expiry so that a new one needs to be set using scripts - did you do that?
->you can set the password using group policy preferences if your DC is not patched for years (this ability was disabled years ago for security reasons) - did you do that?

It has nothing to do with windows 10, that, I can say for sure.

You should share your goal and we'll find a way to make it happen. "All user administrator must has the same password." - that is a horrible idea, security wise and should be avoided at all costs. Why would you need that, what's the scenario?
0
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- David Johnson CD MVP (https:#a42543049)
-- McKnife (https:#a42543335)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.