Tech Line

Switch to "Plan B"

Make quick work of resetting local administrator passwords on all computers in a single OU or across a domain.

• By Chris Wolf
• 08/21/2007

I have been using the following script, and it works well, but it gives me no success/failure indications, as in the script from Mr. MacLachlan, The Spider's Parlor:

------------------------------------------------------
Set objOU = GetObject("LDAP://OU=Managed Servers, DC=my, DC=com") objOU.Filter = Array("Computer")

For Each objItem in objOU
  strComputer = objItem.CN
  Set objUser = GetObject("WinNT://" & strComputer & _
  "/administrator")
  objUser.SetPassword("MySecretPa$$w0rd")
Next
------------------------------------------------------

Can you help adapt the two scripts? That would be most helpful, as we use different local admin passwords for each OU and even though the boxes are supposed to be left on, that's not always the case. This would greatly aid in the 60-day password requirements we have. Many thanks in advance.
-- Rick

Rick, it’s never much fun when things don’t fully meet expectations. Last night, for example, my wife cooked a dish that smelled really good. Upon taking a bite, my four-year-old son stated, “Well, it smells good, but it doesn’t taste good!” Fortunately my wife laughed and we instituted Plan B for dinner: Chinese takeout.

In your case, Plan B is a revamped script based on Mark MacLachlan’s resetAdminPasswordsonPC.vbs script. Here is the new script, capable of resetting local administrator account passwords for computers in a single OU or in an entire domain:

'resetpasswords.vbs
On Error Resume Next

' collect script info
' admin account name
wscript.stdout.write "Enter the Administrator account name: "
adminAccount = Wscript.StdIn.ReadLine
' admin account password
Set objPassword = CreateObject("ScriptPW.Password")
WScript.StdOut.Write "Enter the new Administrator password:"
adminPassword = objPassword.GetPassword()

' DN of OU or Domain
wscript.stdout.writeline()
wscript.stdout.writeline()
wscript.stdout.writeline "Enter the Distinguished Name of " &_
  "the OU"
wscript.stdout.write "(Example: ou=staff,dc=mcpmag,dc=com): "
strDN = Wscript.StdIn.ReadLine

' create output log file
set oFSO=CreateObject("Scripting.FileSystemObject")

If Not oFSO.FolderExists("c:\scripts\lists") Then
oFSO.CreateFolder("c:\scripts")
oFSO.CreateFolder("c:\scripts\lists")
End If

If oFSO.FileExists("c:\scripts\lists\failed.txt") Then
oFSO.DeleteFile("c:\scripts\lists\failed.txt")
End If

If oFSO.FileExists("c:\scripts\lists\success.txt") Then
oFSO.DeleteFile("c:\scripts\lists\success.txt")
End If

set oFailureReport= _
oFSO.createtextfile("c:\scripts\lists\failed.txt")
set oSuccessReport= _
oFSO.createtextfile("c:\scripts\lists\success.txt")

' Connect to OU and collect computer accounts
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
  "SELECT Name FROM 'LDAP://" & _
  strDN & "' WHERE objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

' Output computer accounts, connect to each
' computer, and reset admin password
Do Until objRecordSet.EOF
  strComputer = objRecordSet.Fields("Name").Value
  ' connect to computer
  set oAdminID = GetObject("WinNT://" & strComputer & _
  "/" & adminAccount & ",user")
  'Check for error and record in case of failed attempt
  If Err Then
    ReportError()
    Err.Clear
  Else
    oAdminID.SetPassword adminPassword
    oAdminID.SetInfo
    oSuccessReport.WriteLine strComputer & _
    " Admin Password was reset."
  End If
  objRecordset.MoveNext
Loop

'Close all open files
oFailureReport.close
oSuccessReport.close

'Present yourself a message so you'll know its finished
wscript.echo()
wscript.echo("Password reset complete!")
wscript.echo("Please view the C:\scripts\lists\failures.txt")
wscript.echo("and c:\scripts\lists\success.txt files")
wscript.echo("to confirm that all passwords were")
wscript.echo("successfully reset.")

Sub ReportError()
oFailureReport.WriteLine strComputer & _
" could not be reset. Check that it is powered on." & _
Err.Number
End Sub

Note that you can also download the script from my Web site. The script uses the standard output stream feature, which will only execute under cscript. So to run the script, you will need copy it to a directory on your system and ensure that it has the .vbs extension. Then, you will need to open a command prompt, navigate to the folder containing the script and run the command:

cscript resetpasswords.vbs

When the script runs, it will first prompt you for the local administrator account name, which by default is “administrator.” Next, you will be prompted for the new administrator account password. The text you enter will be masked, so the cursor will not move and the password that you enter will not display on the screen.

To mask the password, the script takes advantage of the ScriptPW COM object. ScriptPW is loaded by default on Windows XP and Windows 2003. If you’re running Windows 2000 or Windows Vista, you will need to copy the scriptpw.dll file from the Windows\System32 folder of an XP system, or Windows 2003 system to the Winnt\System32 or Windows\System32 folder on your Windows 2000 or Vista system. Once the DLL has been copied, you will need to register it by running the command:

regsvr32 scriptpw.dll

To successfully register the DLL on a Vista machine, you will need to open the command prompt as administrator. To do this, click Start | All Programs | Accessories. Then right-click on the Command Prompt shortcut and select “Run as administrator.” Once at the command prompt as administrator, you’ll be able to successfully run the regsvr32 scriptpw.dll command to register the DLL.

Now that I’ve covered how the new password is collected, I’ll get on to describing the remainder of the script. After the new password is entered, you will be prompted to enter the distinguished name of the OU containing the computers whose passwords you wish to reset. For example, for the Development OU in the MCPmag.com domain, you would enter ou=development,dc=mcpmag,dc=com. You could also use the script to reset the local administrator password of all computers in the mcpmag.com domain by entering the distinguished name dc=mcpmag,dc=com.

Now that the script has all of the needed information, it will query Active Directory to collect a list of all computer accounts in the target OU, and then attempt to connect to each computer and reset its local administrator password. The script will output the results of its actions to the c:\scripts\lists\failed.txt and c:\scripts\lists\success.txt files.

Here is a sample of the script’s execution:

C:\scripts>cscript resetpasswords.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Enter the Administrator account name: administrator
Enter the new Administrator password:

Enter the Distinguished Name of the OU
(Example: ou=staff,dc=mcpmag,dc=com): ou=development,dc=mcpmag,dc=com

Password reset complete!
Please view the C:\scripts\lists\failures.txt
and c:\scripts\lists\success.txt files
to confirm that all passwords were
successfully reset.

C:\scripts>

Hopefully this script will make your password management challenge a little easier.