AD Script: change computer local admin password & disable local guest

[AlexIT]

I got started with this in another thread and I am not sure where I went wrong...I am looking to call an AD script from our login.bat file to change the computer's local admin password and to disable the computer's local guest account. I am doing this so each time any machine is used to log into the domain both of these items are performed. (All domain users, except admin accounts, run login.bat...)

Dim fso, ts, password, admin, computer
Set fso = CreateObject("Scripting.FileSystemObject&quot
Set password = fspenTextFile("\\SERVER1\passowrd.txt", 1)
ts.close

Dim objNet
Set objNet = Createobject("WScript.Network&quot
admin = "Administrator"
computer = objNet.ComputerName

Dim User
Set User = GetObject ("WinNT://" & computer & "/"& admin &"",user)
Call User.SetPassword(password)

Set objNet = Nothing
Set objUser = GetObject("WinNT://" & computer & "/Guest&quot
objUser.AccountDisabled = True
objUser.SetInfo

 

[NJDEV1K]

All I have is the script below


strComputer = "computername"
Set colAccounts = GetObject("WinNT://" & strComputer & "/Administrators,group&quot
Set objUser = colAccounts.Create("/USERNAME,user&quot
objUser.SetPassword "1234"
objUser.SetInfo

 

[AlexIT]

That looks to create a new user in the local administrator's group (unless I am misreading), I need to change the password for the existing (default) administrator's account on the given machine...also I'd need the new password stored outside of the script. If the script is in "\SYSVOL\...\scripts" directory it is accessible to any computer on the network. I was trying to store the password in a non-shared location, and just call this from the script.

Alex

 

[vanvb]

This disables the Guest account on the local machine:

ComputerName = "."
Set CPU = GetObject("WinNT://" & ComputerName & ",Computer")
Set User = CPU.GetObject("User", "Guest") 

User.AccountDisabled = True
User.SetInfo

Try this change to make the above change a password:

Call User.SetPassword("xyzxyz")

I haven't checked the change password one yet, but it should work.

The above is an adaptation from:

http://visualbasic.ittoolbox.com/code/d.asp?d=2255&a=s

Hope that helps!

 

[AlexIT]

I haven't any access at the moment, but I thought I'd try this modification of the above:

ComputerName = "."
Set CPU = GetObject("WinNT://" & ComputerName & ",Computer&quot
Set User = CPU.GetObject("User", "Guest&quot

User.AccountDisabled = True
User.SetInfo

Set Admin = CPU.GetObject("User". "Administrator&quot
Call User.SetPassword("xyzxyz&quot


Do I still need the User.SetInfo after the .SetPassword call??

Thanks,
Alex

 

[DougInCanada]

We initiated this script because of the possibility of admin password hacking via the cracking software readily available on the net.

This works great for me:

strComputer = "."
Set CPU = GetObject("WinNT://" & strComputer & ",Computer&quot
Set objuser = CPU.GetObject("User", "Administrator&quot
dim wsh
Set wsh = Wscript.CreateObject("Wscript.Shell&quot
objUser.SetPassword &quot;<YourNewPasswordHere>&quot;
objUser.SetInfo

CAVEAT WARNING!
If the user running this script (ie: the currentuser on the target machine) is not a member of the local admin group the script will fail!
The workarounds for this are:
Enable local computer policies on the local computers (or use GPO's) and place the vbs in the <Local Computer Policy><Computer Configuration><Windows Settings><Scripts (Startup/Shutdown)><startup.

or

repackage the vbs in an MSI using elevated privileges. I use InstallConstruct or you could use WINstaller. Then any user can run the script silently.

Personally, I prefer to use the local/group policies angle. In Startup, the script runs before the user logs on (under the system account), so even if someone's hacked the admin password, it gets reset to what you've chosen before the amateur hacker can log on with the new password they set.