Local Admin Password change script for Domain PC's

Hi all, I have a simple script I want to run on all client PC's (all clients
are XP Pro) in our 2003 Active Directory. It will be used to change the
local admin password for all PC's in our single domain Active Directory:

----------------------------------------------------------
Set WshShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "Net User administrator password
Set WSHShell = Nothing
----------------------------------------------------------

*note: "password" is replaced by the actual password we will be using in the
encoded script.

I have encoded it using Microsoft's Windows Script Encoder so it is now a
..vbe extension file and it appears to be working when running it manually.
My question is, what would be the most effective way to run this on client
PC's:

- Call to it "password.vbe" from logon script.
- Group Policy start up script (Computer Configuration -> Windows
Settings -> Scripts -> Startup).
- SMS 2003 package.
- Other options?

Appreciate and advice. Thanks.

Howdie!

Barkley Bees wrote:
> Hi all, I have a simple script I want to run on all client PC's (all clients
> are XP Pro) in our 2003 Active Directory. It will be used to change the
> local admin password for all PC's in our single domain Active Directory:
>
> ----------------------------------------------------------
> Set WshShell = WScript.CreateObject("WScript.Shell")
> WSHShell.Run "Net User administrator password
> Set WSHShell = Nothing
> ----------------------------------------------------------

The question arose a few times here in the newsgroups. There are various
suggestions, I guess you should find a few of them on google groups or
the forums search. While I'm actually not aware of how good the
"encoding" of the script will prevent your folks from trying to crack it
and steal the password, I'd not use a script to change the password.
I've found pspasswd very useful:
http://www.microsoft.com/technet/sys.../pspasswd.mspx

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:uPqVe0j5IHA.5052@TK2MSFTNGP03.phx.gbl...
> Howdie!
>
> Barkley Bees wrote:
>> Hi all, I have a simple script I want to run on all client PC's (all
>> clients are XP Pro) in our 2003 Active Directory. It will be used to
>> change the local admin password for all PC's in our single domain Active
>> Directory:
>>
>> ----------------------------------------------------------
>> Set WshShell = WScript.CreateObject("WScript.Shell")
>> WSHShell.Run "Net User administrator password
>> Set WSHShell = Nothing
>> ----------------------------------------------------------
>
> The question arose a few times here in the newsgroups. There are various
> suggestions, I guess you should find a few of them on google groups or the
> forums search. While I'm actually not aware of how good the "encoding" of
> the script will prevent your folks from trying to crack it and steal the
> password, I'd not use a script to change the password. I've found pspasswd
> very useful:
> http://www.microsoft.com/technet/sys.../pspasswd.mspx
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Use a newsreader! http://www.frickelsoft.net/news.html
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Another option is a VBScript program that binds to the local Administrator
user object and uses the SetPassword method to change the password. The
advantage of this is that it can be done remotely, from your PC, as long as
you have connectivity and administrator privileges on the remote computer.
If you are a member of the Domain Admins group you should be a member of the
local Administrators group on the remote computers. You could run the script
once for each PC, specifying the NetBIOS name of the computer, or read the
names from a text file and loop through the computers. For one computer:
=========
Option Explicit
Dim strComputer, objAdmin, strPassword

strPassword = "xzy213q"
strComputer = "west241"
Set objAdmin = GetObject("WinNT://" & strComputer & "/administrator,user")
objAdmin.SetPassword strPassword
=========
To read a text file of computer NetBIOS names you could use code similar to:
==========
Option Explicit
Dim strComputer, strPassword, objAdmin, strFile, objFSO, objFile
Const ForReading = 1

strPassword = "xzy213q"

' Open text file of computer names.
strFile = "c:\scripts\computers.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, ForReading)

' Read the file.
Do Until objFile.AtEndOfStream
strComputer = Trim(objFile.ReadLine)
' Skip blank lines.
If (strComputer <> "") Then
' Bind to local Administrator user on remote computer.
' Trap error if computer not available.
On Error Resume Next
Set objAdmin = GetObject("WinNT://" & strComputer _
& "/administrator,user")
If (Err.Number <> 0) Then
Wscript.Echo "Unable to connect to " & strComputer
End If
On Error GoTo 0
' Reset password.
objAdmin.SetPassword strPassword
End If
Loop
objFile.Close
=========
In the above I trap the possible error if the computer is not available.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Are you aware of the new Group Policy Preference settings?

You can change the local Admininstrator password very easily through GPMC
for all computers in the desired scope of management. We have started using
this in my organization and it has worked like a charm. You would just need
to make sure all the XP machines have the Windows 2008 Client Side Extensions
installed, either via Windows Update or a startup script (ironically). We
are using a startup script so that we can be certain the CSEs are getting
installed. I'll find the site from which I obtained the script if you need
it.

"Barkley Bees" wrote:

> Hi all, I have a simple script I want to run on all client PC's (all clients
> are XP Pro) in our 2003 Active Directory. It will be used to change the
> local admin password for all PC's in our single domain Active Directory:
>
> ----------------------------------------------------------
> Set WshShell = WScript.CreateObject("WScript.Shell")
> WSHShell.Run "Net User administrator password
> Set WSHShell = Nothing
> ----------------------------------------------------------
>
> *note: "password" is replaced by the actual password we will be using in the
> encoded script.
>
> I have encoded it using Microsoft's Windows Script Encoder so it is now a
> ..vbe extension file and it appears to be working when running it manually.
> My question is, what would be the most effective way to run this on client
> PC's:
>
> - Call to it "password.vbe" from logon script.
> - Group Policy start up script (Computer Configuration -> Windows
> Settings -> Scripts -> Startup).
> - SMS 2003 package.
> - Other options?
>
> Appreciate and advice. Thanks.
>
>
>
>

Are you aware of the new Group Policy Preference settings?

You can change the local Admininstrator password very easily through GPMC
for all computers in the desired scope of management. We have started using
this in my organization and it has worked like a charm. You would just need
to make sure all the XP machines have the Windows 2008 Client Side Extensions
installed, either via Windows Update or a startup script (ironically). We
are using a startup script so that we can be certain the CSEs are getting
installed. I'll find the site from which I obtained the script if you need
it.

"Barkley Bees" wrote:

> Hi all, I have a simple script I want to run on all client PC's (all clients
> are XP Pro) in our 2003 Active Directory. It will be used to change the
> local admin password for all PC's in our single domain Active Directory:
>
> ----------------------------------------------------------
> Set WshShell = WScript.CreateObject("WScript.Shell")
> WSHShell.Run "Net User administrator password
> Set WSHShell = Nothing
> ----------------------------------------------------------
>
> *note: "password" is replaced by the actual password we will be using in the
> encoded script.
>
> I have encoded it using Microsoft's Windows Script Encoder so it is now a
> ..vbe extension file and it appears to be working when running it manually.
> My question is, what would be the most effective way to run this on client
> PC's:
>
> - Call to it "password.vbe" from logon script.
> - Group Policy start up script (Computer Configuration -> Windows
> Settings -> Scripts -> Startup).
> - SMS 2003 package.
> - Other options?
>
> Appreciate and advice. Thanks.
>
>
>
>

For a script-less solution you could try DSRAZOR for Windows to bulk reset
local administrator passwords. It is not a free utility, but it is reliable
and easy.
You can run the applet from your workstation (logged in with sufficient
credentials) and select all of the machines you want to update. Type in the
new password and press OK. DSRAZOR will update the password on those
machines. It will also keep a log of successful updates - this way you can
keep track of which machines were not updated (turned off, not on the
network at the time, etc).

Some of the scripting solutions mentioned in this thread work just great and
are a good fit for some people, but if we've found that many people like the
ease of use a supported utility can provide.

www.visualclick.com/?source=NGwin2KAD

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Barkley Bees" <barkbees@nomail.com> wrote in message
news:epmx13i5IHA.2336@TK2MSFTNGP03.phx.gbl...
> Hi all, I have a simple script I want to run on all client PC's (all
> clients are XP Pro) in our 2003 Active Directory. It will be used to
> change the local admin password for all PC's in our single domain Active
> Directory:
>
> ----------------------------------------------------------
> Set WshShell = WScript.CreateObject("WScript.Shell")
> WSHShell.Run "Net User administrator password
> Set WSHShell = Nothing
> ----------------------------------------------------------
>
> *note: "password" is replaced by the actual password we will be using in
> the encoded script.
>
> I have encoded it using Microsoft's Windows Script Encoder so it is now a
> .vbe extension file and it appears to be working when running it manually.
> My question is, what would be the most effective way to run this on client
> PC's:
>
> - Call to it "password.vbe" from logon script.
> - Group Policy start up script (Computer Configuration -> Windows
> Settings -> Scripts -> Startup).
> - SMS 2003 package.
> - Other options?
>
> Appreciate and advice. Thanks.
>
>
>

For a script-less solution you could try DSRAZOR for Windows to bulk reset
local administrator passwords. It is not a free utility, but it is reliable
and easy.
You can run the applet from your workstation (logged in with sufficient
credentials) and select all of the machines you want to update. Type in the
new password and press OK. DSRAZOR will update the password on those
machines. It will also keep a log of successful updates - this way you can
keep track of which machines were not updated (turned off, not on the
network at the time, etc).

Some of the scripting solutions mentioned in this thread work just great and
are a good fit for some people, but if we've found that many people like the
ease of use a supported utility can provide.

www.visualclick.com/?source=NGwin2KAD

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Barkley Bees" <barkbees@nomail.com> wrote in message
news:epmx13i5IHA.2336@TK2MSFTNGP03.phx.gbl...
> Hi all, I have a simple script I want to run on all client PC's (all
> clients are XP Pro) in our 2003 Active Directory. It will be used to
> change the local admin password for all PC's in our single domain Active
> Directory:
>
> ----------------------------------------------------------
> Set WshShell = WScript.CreateObject("WScript.Shell")
> WSHShell.Run "Net User administrator password
> Set WSHShell = Nothing
> ----------------------------------------------------------
>
> *note: "password" is replaced by the actual password we will be using in
> the encoded script.
>
> I have encoded it using Microsoft's Windows Script Encoder so it is now a
> .vbe extension file and it appears to be working when running it manually.
> My question is, what would be the most effective way to run this on client
> PC's:
>
> - Call to it "password.vbe" from logon script.
> - Group Policy start up script (Computer Configuration -> Windows
> Settings -> Scripts -> Startup).
> - SMS 2003 package.
> - Other options?
>
> Appreciate and advice. Thanks.
>
>
>

Thanks for your advice Baboon. I would assume though that our DC's would
then need to be running 2008, correct? Unfortunately we are not planning to
upgrade our domain until next year if this is the case.

From what I can see there is an update available CSE update for both XP and
Server 2003 so possibly this can be done without needing 2008 DC's? If we
can do this with our existing 2003 domain that would be great. Please let me
know more about this.

Update:

I found the below which states that you can change the local account
passwords and add/remove users from groups. If we can do this it would be
great as it would allow us to add some of our administrative groups to the
local adminstrator group on the client PC's.

http://www.windowsecurity.com/articl...008-Part3.html




"Baboon" <baboon@news.postalias> wrote in message
news:1A1A0442-116D-4263-9A6B-E9F7245059C7@microsoft.com...
> Are you aware of the new Group Policy Preference settings?
>
> You can change the local Admininstrator password very easily through GPMC
> for all computers in the desired scope of management. We have started
> using
> this in my organization and it has worked like a charm. You would just
> need
> to make sure all the XP machines have the Windows 2008 Client Side
> Extensions
> installed, either via Windows Update or a startup script (ironically). We
> are using a startup script so that we can be certain the CSEs are getting
> installed. I'll find the site from which I obtained the script if you
> need
> it.
>
> "Barkley Bees" wrote:
>
>> Hi all, I have a simple script I want to run on all client PC's (all
>> clients
>> are XP Pro) in our 2003 Active Directory. It will be used to change the
>> local admin password for all PC's in our single domain Active Directory:
>>
>> ----------------------------------------------------------
>> Set WshShell = WScript.CreateObject("WScript.Shell")
>> WSHShell.Run "Net User administrator password
>> Set WSHShell = Nothing
>> ----------------------------------------------------------
>>
>> *note: "password" is replaced by the actual password we will be using in
>> the
>> encoded script.
>>
>> I have encoded it using Microsoft's Windows Script Encoder so it is now a
>> ..vbe extension file and it appears to be working when running it
>> manually.
>> My question is, what would be the most effective way to run this on
>> client
>> PC's:
>>
>> - Call to it "password.vbe" from logon script.
>> - Group Policy start up script (Computer Configuration -> Windows
>> Settings -> Scripts -> Startup).
>> - SMS 2003 package.
>> - Other options?
>>
>> Appreciate and advice. Thanks.
>>
>>
>>
>>

Howdie!

Barkley Bees wrote:
> From what I can see there is an update available CSE update for both XP and
> Server 2003 so possibly this can be done without needing 2008 DC's? If we
> can do this with our existing 2003 domain that would be great. Please let me
> know more about this.

Yah, you can do that. All you need is a Windows Vista machine with RSAT
(Remote Server Administration Toolkit) installed. Also, the CSEs must be
installed on the target/client machines, that's all.

> I found the below which states that you can change the local account
> passwords and add/remove users from groups. If we can do this it would be
> great as it would allow us to add some of our administrative groups to the
> local adminstrator group on the client PC's.
>
> http://www.windowsecurity.com/articl...008-Part3.html

The article is correct, you can do that with exact that functionality in
Preferences.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:efvlw9V7IHA.4864@TK2MSFTNGP06.phx.gbl...
> Howdie!
>
> Barkley Bees wrote:
>> From what I can see there is an update available CSE update for both XP
>> and Server 2003 so possibly this can be done without needing 2008 DC's?
>> If we can do this with our existing 2003 domain that would be great.
>> Please let me know more about this.
>
> Yah, you can do that. All you need is a Windows Vista machine with RSAT
> (Remote Server Administration Toolkit) installed. Also, the CSEs must be
> installed on the target/client machines, that's all.
>
>> I found the below which states that you can change the local account
>> passwords and add/remove users from groups. If we can do this it would be
>> great as it would allow us to add some of our administrative groups to
>> the local adminstrator group on the client PC's.
>>
>> http://www.windowsecurity.com/articl...008-Part3.html
>
> The article is correct, you can do that with exact that functionality in
> Preferences.
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Thanks for the clarification Florian! This sounds fantastic. How big of an
ordeal is this in terms of integrating into an existing domain with existing
Group Policies? Is it is simple as it sounds:

- install KB943729 to Server 2003 DC's.
- configure new Group Policy preferences from Vista client PC w/ RSAT
installed or 2008 member server.
- install KB943729 to all client machines (via script, SMS or WSUS when it
becomes available).

Does Microsoft have any whitepaper information on this? The "Group Policy
Preferences" doc was quite informative and tantalizing.
http://www.microsoft.com/downloads/d...displaylang=en

Howdie!

Barkley Bees wrote:
> Thanks for the clarification Florian! This sounds fantastic. How big of an
> ordeal is this in terms of integrating into an existing domain with existing
> Group Policies? Is it is simple as it sounds:
>
> - install KB943729 to Server 2003 DC's.
> - configure new Group Policy preferences from Vista client PC w/ RSAT
> installed or 2008 member server.
> - install KB943729 to all client machines (via script, SMS or WSUS when it
> becomes available).

Yes, those steps seem sufficient to me. You can summarize it to two
steps: Install the CSEs on the clients and set up a management station
with Vista w/ RSAT or 2008. That's all.

For the CSE installation a few things:
- there's no MSI file to install Preference-CSEs :-( (that sucks as you
could have simply deployed it with Software installation). So it's
scripting time or WSUS deployment need.
- Windows Server 2008 already has those CSEs on board. No need to update
those.
- There's no Preference-CSE pack for Windows 2000. That's not supported.

> Does Microsoft have any whitepaper information on this? The "Group Policy
> Preferences" doc was quite informative and tantalizing.
> http://www.microsoft.com/downloads/d...displaylang=en

Hum, there's no whitepaper on setting up clients for preference-use
afaik. Preference-docs are rare these days. Maybe you can find use in
the Preference FAQ:
http://technet2.microsoft.com/window...rencesfaq.mspx

The Group Policy Survival Guide might also provide you some links to
further information on this ( - tape it to your wall! :-)

http://download.microsoft.com/downlo...al%20Guide.pdf

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

I have been using the script which can be dowloaded from the link on this page:
http://heidelbergit.blogspot.com/200...g-startup.html

I first found out about the script from Rytis's post to this thread:
http://www.microsoft.com/communities...5-fc97c79b3bb3

I went with that script as a machine startup script instead of relying on
WSUS or MS Update because of the XML Lite prerequesite, and because it seemed
in testing that some machines that needed the CSEs weren't getting them, even
when pointing to a WSUS server that had them approved appropriately.

That said, it seems that the recently (last two weeks or so) released
versions of the CSEs are now getting installed via WSUS on machines that
weren't getting them before. Maybe someone can confirm that?

Hope this helps.


"Barkley Bees" wrote:

>
> "Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
> message news:efvlw9V7IHA.4864@TK2MSFTNGP06.phx.gbl...
> > Howdie!
> >
> > Barkley Bees wrote:
> >> From what I can see there is an update available CSE update for both XP
> >> and Server 2003 so possibly this can be done without needing 2008 DC's?
> >> If we can do this with our existing 2003 domain that would be great.
> >> Please let me know more about this.
> >
> > Yah, you can do that. All you need is a Windows Vista machine with RSAT
> > (Remote Server Administration Toolkit) installed. Also, the CSEs must be
> > installed on the target/client machines, that's all.
> >
> >> I found the below which states that you can change the local account
> >> passwords and add/remove users from groups. If we can do this it would be
> >> great as it would allow us to add some of our administrative groups to
> >> the local adminstrator group on the client PC's.
> >>
> >> http://www.windowsecurity.com/articl...008-Part3.html
> >
> > The article is correct, you can do that with exact that functionality in
> > Preferences.
> >
> > cheers,
> >
> > Florian
> > --
> > Microsoft MVP - Group Policy
> > eMail: prename [at] frickelsoft [dot] net.
> > blog: http://www.frickelsoft.net/blog.
> > Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
>
> Thanks for the clarification Florian! This sounds fantastic. How big of an
> ordeal is this in terms of integrating into an existing domain with existing
> Group Policies? Is it is simple as it sounds:
>
> - install KB943729 to Server 2003 DC's.
> - configure new Group Policy preferences from Vista client PC w/ RSAT
> installed or 2008 member server.
> - install KB943729 to all client machines (via script, SMS or WSUS when it
> becomes available).
>
> Does Microsoft have any whitepaper information on this? The "Group Policy
> Preferences" doc was quite informative and tantalizing.
> http://www.microsoft.com/downloads/d...displaylang=en
>
>
>
>
>
>
>

Hey Barkley...

I would recommend you look at the solution that was developed to address any
type of security efforts for local administrator passwords -
www.autocipher.com.

This is an agentless password management solution that I've used in the past
.....works like a charm.

Regards,
Matt

"Barkley Bees" wrote:

> Hi all, I have a simple script I want to run on all client PC's (all clients
> are XP Pro) in our 2003 Active Directory. It will be used to change the
> local admin password for all PC's in our single domain Active Directory:
>
> ----------------------------------------------------------
> Set WshShell = WScript.CreateObject("WScript.Shell")
> WSHShell.Run "Net User administrator password
> Set WSHShell = Nothing
> ----------------------------------------------------------
>
> *note: "password" is replaced by the actual password we will be using in the
> encoded script.
>
> I have encoded it using Microsoft's Windows Script Encoder so it is now a
> ..vbe extension file and it appears to be working when running it manually.
> My question is, what would be the most effective way to run this on client
> PC's:
>
> - Call to it "password.vbe" from logon script.
> - Group Policy start up script (Computer Configuration -> Windows
> Settings -> Scripts -> Startup).
> - SMS 2003 package.
> - Other options?
>
> Appreciate and advice. Thanks.
>
>
>
>