AD Policy question ... 2

[OzCDN]

We would like to force a standardized password for the Local\Administrator account on all machines in an AD domain. Is there a policy (or registry hack) that will do this?

Alternatively, is there any way to force the creation of a local account through policy (or other global application method)?

Thanks,
Oz

 

[bcastner]

I am not sure how your are creating the new installations, as there are several options under unattended install and RIS to set the default value.

Slightly confused as to where you are and what you are trying to do, but I hope the following script helps:

admin_name.vbs

On Error Resume Next
Set DomOBj = GetObject("WinNT://Domain/Computer/Administrator, user")
DomObj.SetPassword "pswd"

"Domain" = your Domain name
"computer" = workstation name
"Administrator" = name of local Admin account
"psd" = "new password"

Push this through the logon script.

 

[bcastner]

admin_name.vbs

On Error Resume Next
Set DomOBj = GetObject("WinNT://Domain/"Computer"/Administrator, user")
DomObj.SetPassword "pswd"

I think ADSI will permit this syntax so that a computer name need not be specified; it will apply to the local workstation.

 

[OzCDN]

Thanks Bill ... this looks like it will do the trick (although I must admit that I am surprised to see the domain as part of the syntax). I'll test it out.

As for the deployment strategy ... some of the machines are 6+ years old ... the strategies have changed over time and we have a significant variety of local admin passwords (including a large batch of blanks ones from a more trusting time).

Oz

 

[bcastner]

Well, not quite.

See this more generic restatment:

http://www.microsoft.com/technet/community/scriptcenter/user/scrug74.mspx

 

[OzCDN]

Thanks again ... here is the code I ended up using. The two lines I added pick up the machine name from the registry.

I dropped the "on error" so that we can track any failures.

---------------------------------------

Set shell = CreateObject("WScript.Shell")
strComputer = shell.RegRead("HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName")

Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")
objUser.SetPassword "newPassword"
objUser.SetInfo

 

[bcastner]

Looks good.

Thank you for the valuable ammendment.

Bill

 

[bofhrevenge2]

Hey guys

I'm considering using this method to change our local admin account passwords, can you tell me where the script is called from? If it's accessed at logon then surely users could also read it if they found the share location.

Also can you explain how does this script work as i can't see an old password, is this not required to set a new password or does it require the user to be an admin?

Thanks.

 

[bcastner]

. you can encode scripts to make them unreadable. See:

http://www.microsoft.com/downloads/...67-C447-4873-B1B0-21F0626A6329&displaylang=en

. the example above uses objUser.SetPassword and ADSI does not require the old password. This syntax does:

objUser.ChangePassword "old_password", "new_password

 

[bofhrevenge2]

Do you set this to run at station startup or at logon, if at logon what user privileges are required?

Cheers.

 

[OzCDN]

It has been a while since I implemented this.

I believe that it was done through logon script and I would assume that local admin privilidges were necessary.

 

[bcastner]

I would have done it at a central location using PSEXEC:

http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

or with native scripting using WSH remote administration features:

http://www.microsoft.com/technet/scriptcenter/scripts/templates/default.mspx

Or in a logon script with RUNAS.
You might benefit using the Forum member Greg Palmer's RUNAS wrapper for the script:

http://www.palmersoft.co.uk/runasuser.htm

 

[bofhrevenge2]

Thanks for your help guys, i did actually get a vb script to do the job but after looking on sysinternals i found an excellent util and it works like a charm so i think i'll stick with it.

http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml

Thanks again.