Tech Line
Automating Local Admin Password Changes -- Readers Weigh In
Need to change local administrator passwords across your domain? Here are a few more ways to get it done.
After reading my column, "
Local Admin Password Problem," a couple of readers contacted me with their own solutions to automating password changes. These solutions are far too good for me to keep to myself, so I thought that I would pass them along.
The first solution came from Kurt Hudson, who offers a very nice VB application that allows you to remotely change local administrator passwords across your domain. You can download his tool by navigating to his Network Utilities page. Just scroll down until you find the Domain Admin Password Changer and you’ll see a link to download the tool.
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
cap.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
What’s nice about Kurt's solution tool is that it’s very easy to use. You just enter the domain name, local admin account name and the new password. Then hit the Change Password button and you’re on your way. The password changer will query Active Directory for computer objects and attempt to change the local administrator password of each queried object. When finished, the tool will display both successes and failures (see Fig. 1). The tool will also allow you to reattempt to change the passwords of the failed computers with the click of a button. Since the tool allows you to enter the login name of the local admin account, it has no problem working in shops that have renamed their administrator account.
Thanks, Kurt, for developing and sharing this excellent tool.
Another reader, Mark MacLachlan, donated some of his scripting knowledge. Mark is a Technical Account Manager with Microsoft and an all-around scripting guru.
Mark offer two scripts that can be used to reset local administrator passwords within a domain. Here's the first one:
'================================================================
'
' NAME: EnumerateDomainComputers.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: http://www.thespidersparlor.com
' DATE : 5/20/2004
'
' COMMENT: generates a list of domain computers
' MODIFICATIONS: Added support to automatically find the Domain
' NetBIOS Name
'================================================================
Dim objIADsContainer ' ActiveDs.IADsDomain - '
Container object
Dim objIADsComputer ' ActiveDs.IADsComputer
Dim Partition, Partitions
Set Partitions = &_
GetObject("LDAP://CN=Partitions,CN=Configuration," & _
GetObject("LDAP://RootDSE").Get("DefaultNamingContext"))
On Error Resume Next
For Each Partition In Partitions
strDomain = Partition.Get("nETBIOSName")
If Err.Number = 0 then Exit For
Next
Set Partitions = Nothing
' connect to the computer.
Set objIADsContainer = GetObject("WinNT://" & strDomain)
' set the filter to retrieve only objects of class Computer
objIADsContainer.Filter = Array("Computer")
For Each objIADsComputer In objIADsContainer
report = report & objIADsComputer.Name & vbCrLf
Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set ts = fso.CreateTextFile ("wslist.txt", ForWriting)
ts.write report
Set fso = Nothing
Set objIADsComputer = Nothing
Set objIADsContainer = Nothing
MsgBox "Done"
This script creates a file named "wslist.txt" that contains all computer accounts in the domain. Now to reset the local administrator password, you need to run this script:
'================================================================
'
' NAME: resetAdminPasswordsonPC.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: http://www.thespidersparlor.com
' DATE : 3/23/2004
'
' COMMENT: Resets the local admin password on domain computers.
' Requires a list of workstation names called wslist.txt.
'
' This and many more scripts available in the Admin Script
' Pack by The Spiders Parlor
' http://www.thespidersparlor.com/vbscript
'================================================================
On Error Resume Next
Dim oFSO, oFailureReport, oSuccessReport, oTextStream, oAdminID
Dim RemotePC, strComputerName
const adminAccount = "Administrator"
const adminPassword = "P@ssw0rd"
set oFSO=CreateObject("Scripting.FileSystemObject")
If Not oFSO.FolderExists("c:\scripts\lists") Then
oFSO.CreateFolder("c:\scripts")
oFSO.CreateFolder("c:\scripts\lists")
End If
If oFSO.FileExists("c:\scripts\lists\failed.txt") Then
oFSO.DeleteFile("c:\scripts\lists\failed.txt")
End If
If oFSO.FileExists("c:\scripts\lists\success.txt") Then
oFSO.DeleteFile("c:\scripts\lists\success.txt")
End If
set oFailureReport= _
oFSO.createtextfile("c:\scripts\lists\failed.txt")
set oSuccessReport= _
oFSO.createtextfile("c:\scripts\lists\success.txt")
'open the data file
Set oTextStream = oFSO.OpenTextFile("wslist.txt")
'make an array from the data file
RemotePC = Split(oTextStream.ReadAll, vbNewLine)
'close the data file
oTextStream.Close
For Each strComputername In RemotePC
'Goto the local Admin account of the machine
set oAdminID = GetObject("WinNT://" & strComputername & _
"/" & adminAccount & ",user")
'Check for error and record in case of failed attempt
If Err Then
ReportError()
Err.Clear
Else
oAdminID.SetPassword adminPassword
oAdminID.SetInfo
oSuccessReport.WriteLine strComputername & _
" Admin Password was reset."
End If
Next
'Close all open files
oFailureReport.close
oSuccessReport.close
'Present yourself a message so you'll know its finished
msgbox "Done"
set oFSO = nothing
set oAdminID = Nothing
set oTextStream = nothing
set oSuccessReport = nothing
set oFailureReport = nothing
Sub ReportError()
oFailureReport.WriteLine strComputername & _
" could not be reset. Check that it is powered on." & _
Err.Number
End Sub
I made one small edit to Mark’s script with the intention of making editing easier. On lines 16-17, you will see two constants: adminAccount and adminPassword. The adminAccount constant should equal the name of the administrator account, which by default is "administrator." You should modify the adminPassword constant to specify your desired new password. Of course, you would want to encrypt the script in order to protect the password stored in the script.
One other way to pass the password into the script would be to use the InputBox function. For example, you could do this by using the InputBox function in the line:
const adminPassword = "P@ssw0rd"
To use InputBox to have the administrator enter the password at the time the script is run, replace the "constant adminPassword..." line with:
adminPassword = InputBox("Enter the New Password","New Password",, 100, 100)
Now you’ll get a popup box that prompts for the password when the script executes.
 |
| Figure 1. Sample output from the Domain Admin Account Password Changer after I ran it in my lab environment. |
So, as you can see, there are plenty of ways to tackle the problem of local administrator password resets. Hopefully, you’ll find Kurt Hudson’s program and Mark MacLachlan’s scripts as useful as I have.