Change the local administrator password on LOTS of domain machines.
Written by Karl L. Gechlik | AskTheAdmin.com on April 11, 2008 – 12:38 pm -
Due to a changing of the guard (firing of a junior admin) I am now required to change the local administrator account password on almost 400 XP Pro SP2 Machines today. Oh joy!
Normally I would just open my MMC console connect to each machine and change it… But not on 400 machines that’s just crazy!
Crazy and a good reason for our scripting lesson today. You do not have to know anything about scripting to get this done. I know a lot of you are sighing with relief. The task is pretty simple if you have the right tools and knowledge. Because knowledge is half the battle (thanks G.I. Joe!)
I snagged a Visual Basic Script file which allowed me to complete the task in under a half hour. I just had to create a text file with the netbois computer names of each machine I wanted to change the password on, then run one command.
So while I am looking busy today my work is already done and I am off to get my Snood beta on! This little script is going to come in handy!
I ran into a few issues. As usual! Obviously if one of the computers is not up on the network or even powered off this little script will stop.
To have the script run successfully on 400 computers I watched the script halt about 25 times. At that point I would delete the completed computers and the unavailable machines names from the text file and start it again.
Still saved me a ton of time though. Of course you have to run this as a domain user which has administrative rights on domain computers.
USAGE:
cscript local_admin_chpw.vbs password input.txt‘==========================================================================‘‘ VBScript Source File — Created with SAPIEN Technologies PrimalScript 3.1‘‘ NAME: Local Admin Change Password‘‘ AUTHOR: Kirrilian‘ Date : 2/22/2005‘‘ COMMENT:‘ usage: cscript local_admin_chpw.vbs password input.txt‘ the input file should be a list of machines you want to change the‘ password on. One hostname per line.‘========================================================================== Dim fsoSet fso = CreateObject(”Scripting.FileSystemObject”)Set objArgs = WScript.Arguments.Unnamed ‘InputFile = “C:\input.txt”MyDate = Replace(Date, “/”, “-”)OutputFile = “C:\output-” & mydate & “.txt” If Not objArgs.Count = 2 Then password = WScript.Arguments.Item(0) InputFile = WScript.Arguments.Item(1) If fso.FileExists(InputFile) Then Set txtStreamIn = fso.OpenTextFile(InputFile) Set txtStreamOut = fso.OpenTextFile(OutputFile, 2, True) Do While Not (txtStreamIn.AtEndOfStream) strComputer = txtStreamIn.ReadLine chpw strComputer, password loop Else WScript.Echo “Input file doesnt exist.” usage End ifElse usageEnd If Sub usage() WScript.Echo “Usage: cscript local_admin_chpw.vbs password input.txt” WScript.Echo “Passwords with special characters need quotes”End Sub ‘usage Sub printOut (data) WScript.Echo data txtStreamOut.writeline dataEnd Sub ‘printOut Sub chpw (computer,password) Set objUser = GetObject(”WinNT://” & computer & “/Administrator, user”) printOut “changing the password on ” & computer & ” to ” & password objUser.SetPassword “”" & password & “”" objUser.SetInfoEnd Sub ‘chpw
Just copy that script to a text file and name it Rename.vbs and name your textfile input.txt and get to changing! I find it very important to keep those localAdmin passwords synced up and constanly changed for obvious reasons! How do youmanage local admin passwords?_TheFiringAdmiN_
Tags: General
Posted in General |
By El Di Pablo on Apr 11, 2008 | Reply
I had to do that a while back too ( http://www.bauer-power.net/2007/09/changing-local...“>). “>http://www.bauer-power.net/2007/09/changing-local...). I used pspasswd and a list of computers. The good thing about that is the script didn't halt if people's machines weren't turned on.
By El Di Pablo on Apr 11, 2008 | Reply
I had to do that a while back too ( http://www.bauer-power.net/2007/09/changing-local...“>). “>http://www.bauer-power.net/2007/09/changing-local...). I used pspasswd and a list of computers. The good thing about that is the script didn't halt if people's machines weren't turned on.
By Joe G. on Apr 11, 2008 | Reply
There is a script posted to Curtis Washington's site that handles failed machines by logging them, and can search your domain for machines to change passwords on based on their computer names (you can define the filter criteria). It changes the passwords to a random password that meets the criteria you define, and logs which machine got which password.
You can find it here: http://tinyurl.com/5n7nbr “>http://tinyurl.com/5n7nbr
I have used a modified version of this (I prefer the same administrator password on all workstations) for quite a while now, and it works great for me.
By Joe G. on Apr 11, 2008 | Reply
There is a script posted to Curtis Washington's site that handles failed machines by logging them, and can search your domain for machines to change passwords on based on their computer names (you can define the filter criteria). It changes the passwords to a random password that meets the criteria you define, and logs which machine got which password.
You can find it here: http://tinyurl.com/5n7nbr “>http://tinyurl.com/5n7nbr
I have used a modified version of this (I prefer the same administrator password on all workstations) for quite a while now, and it works great for me.
By Peter on Apr 11, 2008 | Reply
Was this the end result of the failed backup incident?
By pharcide on Apr 11, 2008 | Reply
hey, i've done this before and i believe there is a much easier way. Just create a batch file, something like "net user administrator <newpass>" and put it in the GPO for computers under startup scripts. When the computers restart (which you can also do with some commands) the admin password will be changed. Let me know what you think. Now this might be a problem if you need it done immediately and can't restart everyone's computers ;)
By El Di Pablo on Apr 11, 2008 | Reply
The problem with that is the startup script is ran as the user. If they don't have local admin rights this will not work.
By pharcide on Apr 11, 2008 | Reply
no, you put it in the computer start up scripts not the user, therefore it does not have that problem
By AskTheAdmin on Apr 11, 2008 | Reply
Wow! Someone is paying attention :)
Yeah when I confronted him he got all cocky and obnoxious. So he got the axe.
By pharcide on Apr 11, 2008 | Reply
as a "computer" startup script in the gop, the script executes when the COMPUTER starts up or shuts down. It executes in context of "Local System Account". so this occurs before the user logs in
By pharcide on Apr 11, 2008 | Reply
gpo*
By AskTheAdmin on Apr 11, 2008 | Reply
Nice. Pharcide and Joe G! Way to contribute.
By El Di Pablo on Apr 12, 2008 | Reply
Oh yes. I thought you were talking about the user startup script that maps their drives.
By BBRB on Sep 21, 2008 | Reply
Try using autocipher (www.autocipher.com). It will change the local administrator password on every machine to unique value and make it avilable on-demand. This way no one knows the password on any machine.