Tech Line

Automating Local Admin Password Changes -- Readers Weigh In

Need to change local administrator passwords across your domain? Here are a few more ways to get it done.

After reading my column, "Local Admin Password Problem," a couple of readers contacted me with their own solutions to automating password changes. These solutions are far too good for me to keep to myself, so I thought that I would pass them along.

The first solution came from Kurt Hudson, who offers a very nice VB application that allows you to remotely change local administrator passwords across your domain. You can download his tool by navigating to his Network Utilities page. Just scroll down until you find the Domain Admin Password Changer and you’ll see a link to download the tool.

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:editor@mcpmag.com; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

What’s nice about Kurt's solution tool is that it’s very easy to use. You just enter the domain name, local admin account name and the new password. Then hit the Change Password button and you’re on your way. The password changer will query Active Directory for computer objects and attempt to change the local administrator password of each queried object. When finished, the tool will display both successes and failures (see Fig. 1). The tool will also allow you to reattempt to change the passwords of the failed computers with the click of a button. Since the tool allows you to enter the login name of the local admin account, it has no problem working in shops that have renamed their administrator account.

Thanks, Kurt, for developing and sharing this excellent tool.

Another reader, Mark MacLachlan, donated some of his scripting knowledge. Mark is a Technical Account Manager with Microsoft and an all-around scripting guru.

Mark offer two scripts that can be used to reset local administrator passwords within a domain. Here's the first one:

'================================================================
'
' NAME: EnumerateDomainComputers.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: http://www.thespidersparlor.com
' DATE : 5/20/2004
'
' COMMENT: generates a list of domain computers
' MODIFICATIONS: Added support to automatically find the Domain
' NetBIOS Name
'================================================================

Dim objIADsContainer ' ActiveDs.IADsDomain - '
Container object
Dim objIADsComputer ' ActiveDs.IADsComputer
Dim Partition, Partitions
Set Partitions = &_
GetObject("LDAP://CN=Partitions,CN=Configuration," & _
GetObject("LDAP://RootDSE").Get("DefaultNamingContext"))
On Error Resume Next
For Each Partition In Partitions
strDomain = Partition.Get("nETBIOSName")
If Err.Number = 0 then Exit For
Next
Set Partitions = Nothing

' connect to the computer.
Set objIADsContainer = GetObject("WinNT://" & strDomain)

' set the filter to retrieve only objects of class Computer
objIADsContainer.Filter = Array("Computer")

For Each objIADsComputer In objIADsContainer
report = report & objIADsComputer.Name & vbCrLf
Next

Set fso = CreateObject("Scripting.FileSystemObject")
Set ts = fso.CreateTextFile ("wslist.txt", ForWriting)
ts.write report

Set fso = Nothing
Set objIADsComputer = Nothing
Set objIADsContainer = Nothing

MsgBox "Done"

This script creates a file named "wslist.txt" that contains all computer accounts in the domain. Now to reset the local administrator password, you need to run this script:

'================================================================
'
' NAME: resetAdminPasswordsonPC.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: http://www.thespidersparlor.com
' DATE : 3/23/2004
'
' COMMENT: Resets the local admin password on domain computers.
' Requires a list of workstation names called wslist.txt.
'
' This and many more scripts available in the Admin Script
' Pack by The Spiders Parlor
' http://www.thespidersparlor.com/vbscript
'================================================================

On Error Resume Next

Dim oFSO, oFailureReport, oSuccessReport, oTextStream, oAdminID
Dim RemotePC, strComputerName
const adminAccount = "Administrator"
const adminPassword = "P@ssw0rd"

set oFSO=CreateObject("Scripting.FileSystemObject")

If Not oFSO.FolderExists("c:\scripts\lists") Then
oFSO.CreateFolder("c:\scripts")
oFSO.CreateFolder("c:\scripts\lists")
End If

If oFSO.FileExists("c:\scripts\lists\failed.txt") Then
oFSO.DeleteFile("c:\scripts\lists\failed.txt")
End If

If oFSO.FileExists("c:\scripts\lists\success.txt") Then
oFSO.DeleteFile("c:\scripts\lists\success.txt")
End If

set oFailureReport= _
oFSO.createtextfile("c:\scripts\lists\failed.txt")
set oSuccessReport= _
oFSO.createtextfile("c:\scripts\lists\success.txt")

'open the data file
Set oTextStream = oFSO.OpenTextFile("wslist.txt")
'make an array from the data file
RemotePC = Split(oTextStream.ReadAll, vbNewLine)
'close the data file
oTextStream.Close

For Each strComputername In RemotePC
'Goto the local Admin account of the machine
set oAdminID = GetObject("WinNT://" & strComputername & _
"/" & adminAccount & ",user")
'Check for error and record in case of failed attempt
If Err Then
ReportError()
Err.Clear
Else
oAdminID.SetPassword adminPassword
oAdminID.SetInfo
oSuccessReport.WriteLine strComputername & _
" Admin Password was reset."
End If
Next

'Close all open files
oFailureReport.close
oSuccessReport.close

'Present yourself a message so you'll know its finished
msgbox "Done"

set oFSO = nothing
set oAdminID = Nothing
set oTextStream = nothing
set oSuccessReport = nothing
set oFailureReport = nothing

Sub ReportError()
oFailureReport.WriteLine strComputername & _
" could not be reset. Check that it is powered on." & _
Err.Number
End Sub

I made one small edit to Mark’s script with the intention of making editing easier. On lines 16-17, you will see two constants: adminAccount and adminPassword. The adminAccount constant should equal the name of the administrator account, which by default is "administrator." You should modify the adminPassword constant to specify your desired new password. Of course, you would want to encrypt the script in order to protect the password stored in the script.

One other way to pass the password into the script would be to use the InputBox function. For example, you could do this by using the InputBox function in the line:

const adminPassword = "P@ssw0rd"

To use InputBox to have the administrator enter the password at the time the script is run, replace the "constant adminPassword..." line with:

adminPassword = InputBox("Enter the New Password","New Password",, 100, 100)

Now you’ll get a popup box that prompts for the password when the script executes.

Figure 1. Sample output from the Domain Admin Account Password Changer after I ran it in my lab environment.

So, as you can see, there are plenty of ways to tackle the problem of local administrator password resets. Hopefully, you’ll find Kurt Hudson’s program and Mark MacLachlan’s scripts as useful as I have.

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.