Local Admin Password

[telep]

in a win2000 domain, i'd like to change password of local administrator on all clients.
how can i do using win2000 policy?

 

[58sniper]

That's been discussed here many times. Try searching.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[markdmac]

'==========================================================================
'
' NAME: resetAdminPasswordsonPC.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 3/23/2004
'
' COMMENT: Resets the local admin password on domain computers.
'          Requires a list of workstation names called wslist.txt.
'[red]
'          This and many more scripts available in the Admin Script Pack 
'          by The Spiders Parlor [URL unfurl="true"]http://www.thespidersparlor.com/vbscript[/URL][/red]
'==========================================================================

On Error Resume Next

Dim oFSO, oFailureReport, oSuccessReport, oTextStream, oAdminID, RemotePC, strComputerName
Dim adminPassword

set oFSO=CreateObject("Scripting.FileSystemObject")

If Not oFSO.FolderExists("c:\scripts\lists") Then
	oFSO.CreateFolder("c:\scripts")
	oFSO.CreateFolder("c:\scripts\lists")
End If 

If oFSO.FileExists("c:\scripts\lists\failed.txt") Then
   oFSO.DeleteFile("c:\scripts\lists\failed.txt")
End If 

If oFSO.FileExists("c:\scripts\lists\success.txt") Then
   oFSO.DeleteFile("c:\scripts\lists\success.txt")
End If 


set oFailureReport=oFSO.createtextfile("c:\scripts\lists\failed.txt")
set oSuccessReport=oFSO.createtextfile("c:\scripts\lists\success.txt")




'open the data file
Set oTextStream = oFSO.OpenTextFile("wslist.txt")
'make an array from the data file
RemotePC = Split(oTextStream.ReadAll, vbNewLine)
'close the data file
oTextStream.Close


For Each strComputername In RemotePC
    'Goto the local Admin account of the machine
    set oAdminID = GetObject("WinNT://" & strComputername & "/administrator,user")
      'Check for error and record in case of failed attempt
      If Err Then
        ReportError()
        Err.Clear
      Else
          adminPassword = "putnewpasswordhere"
          oAdminID.SetPassword adminPassword
          oAdminID.SetInfo
          oSuccessReport.WriteLine strComputername & " Admin Password was reset."
      End If
Next

'Close all open files
oFailureReport.close
oSuccessReport.close

'Present yourself a message so you'll know its finsihed
msgbox "Done"

set oFSO = nothing
set oAdminID = Nothing
set oTextStream = nothing
set oSuccessReport = nothing
set oFailureReport = nothing

Sub ReportError()
    oFailureReport.WriteLine strComputername & " could not be reset. Check that it is powered on." & Err.Number
End Sub

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[porkchopexpress]

Also look at

http://www.sysinternals.com/Utilities/PsPasswd.html

 

[PScottC]

The solution I use is GPO based. Every time a user shuts down their PC, both the local Administrator name and password get set to my current default. Basically I have specified a Shutdown script in the computer portion of my policy. To ensure that no one can get your admin name and password through "casual inspection", use the script encoder to save the script in .vbe format before deploying it into your GPO. Here's the code...

[green]'==========================================================================
'
' NAME: ChgLocalAdminName-Pass-v3.vbs
'
' AUTHOR: Paul S. Chapman , Vineyard Bank
' DATE  : 12-21-2005
'
' COMMENT: Changes the local Administrator name and password.  Searches local
' system for well known SID beginning "S-1-5-" and ending "-500".  Script
' is designed to be run as a system startup or shutdown script to ensure
' that Administrator name is always the same.
'
' To ensure greater security, always save encrypted (.vbe) version for use
' with Group Policies.
'
' New in Version 2: Removed command line arguments and default passwords.
' New in Version 3: Rem'd out WMI user rename and added ADSI user rename to
' deal with Windows 2000 systems, where the objAccount.Rename method is Not
' available.
'
'==========================================================================[/green]

Option Explicit

Dim strComputer, strResult, strNewAdminName, strNewPassword, strWMIQuery
Dim objNetwork, objWMIService, objAccount, objAdmin
Dim colAccounts, objDomain, objMove

Set objNetwork = WScript.CreateObject("WScript.Network")

strComputer = objNetwork.ComputerName

strNewAdminName = [red]"NewName"[/red][green]' New administrator name[/green]
strNewPassword = [red]"NewP@ss"[/red][green]' New password[/green]

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

strWMIQuery = "Select * From Win32_UserAccount Where Domain = '" & strComputer & "'"
Set colAccounts = objWMIService.ExecQuery(strWMIQuery)

For Each objAccount in colAccounts
	If Left (objAccount.SID, 6) = "S-1-5-" and Right(objAccount.SID, 4) = "-500" Then
		Set objDomain = GetObject("WinNT://" & strComputer)
		Set objAdmin = GetObject("WinNT://" & strComputer & "/" & objAccount.Name)
		objAdmin.SetPassword(strNewPassword)
		If objAccount.Name <> strNewAdminName Then
			[green]' ADSI style account rename[/green]
			Set objMove = objDomain.MoveHere(objAdmin.AdsPath, strNewAdminName)
			[green]' WMI style accocunt rename[/green]
' 			strResult = objAccount.Rename(strNewAdminName)
		End If
	End If
Next

Good Luck!

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[markdmac]

PSC, you should probably be aware of 2 things.

1. a VBE file can very easily be decoded.
2. any user can browse to the script.

Neither of which would constitute casual browsing, however for security reasons I would not want to leave such a script out there on the network for the more curious users to find.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[PScottC]

I agree. In my environment there are 3 things which mitigate this risk: 1)there are only a handful of people who would be able to find the script in the first place, because the script directory is under the group policy, which is expressed as a GUID. 2)The users who do scripting are myself and one other administrator. and 3)This policy only applies to workstations.

Users are already local admins on their machines due to requirements of several applications we run. If someone were to break into a workstation, the impact on the environment would be the same as a user password being compromised, probably less because the local admin account on the workstations is different from the servers and local accounts won't have access to the servers.

The reason I use a script like this is to ensure that the local admin name and password is consistent across the environment, despite efforts of my users to modify it.

So, telep, like anything on this site, use at your own risk.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[Seaspray0]

When it comes to scripting... "Moooo"

But, I'm learning from you guys, as well as from the examples provided by microsoft.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA

 

[telep]

tnx to all