Switch to "Plan B"
Make quick work of resetting local administrator passwords on all computers in a single OU or across a domain.
I'd like to change local admin passwords using the script
Local Admin Password Changes -- Readers Weigh In
,” but I want
to change them on computers in a particular OU.
I have been using the following script, and it works well, but it gives
me no success/failure indications, as in the
script from Mr. MacLachlan, The Spider's Parlor:
Set objOU = GetObject("LDAP://OU=Managed Servers, DC=my, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer
Can you help adapt the two scripts? That would be most helpful, as we
use different local admin passwords for each OU and even though the boxes
are supposed to be left on, that's not always the case. This would greatly
aid in the 60-day password requirements we have. Many thanks in advance.
Rick, it’s never much fun when things don’t fully meet expectations.
Last night, for example, my wife cooked a dish that smelled really good.
Upon taking a bite, my four-year-old son stated, “Well, it smells
good, but it doesn’t taste good!” Fortunately my wife laughed
and we instituted Plan B for dinner: Chinese takeout.
In your case, Plan B is a revamped script based on Mark MacLachlan’s
resetAdminPasswordsonPC.vbs script. Here is the new script, capable of
resetting local administrator account passwords for computers in a single
OU or in an entire domain:
On Error Resume Next
' collect script info
' admin account name
wscript.stdout.write "Enter the Administrator account name: "
adminAccount = Wscript.StdIn.ReadLine
' admin account password
Set objPassword = CreateObject("ScriptPW.Password")
WScript.StdOut.Write "Enter the new Administrator password:"
adminPassword = objPassword.GetPassword()
' DN of OU or Domain
wscript.stdout.writeline "Enter the Distinguished Name of "
wscript.stdout.write "(Example: ou=staff,dc=mcpmag,dc=com): "
strDN = Wscript.StdIn.ReadLine
' create output log file
If Not oFSO.FolderExists("c:\scripts\lists") Then
set oFailureReport= _
set oSuccessReport= _
' Connect to OU and collect computer accounts
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"SELECT Name FROM 'LDAP://" & _
strDN & "' WHERE objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
' Output computer accounts, connect to each
' computer, and reset admin password
Do Until objRecordSet.EOF
strComputer = objRecordSet.Fields("Name").Value
' connect to computer
set oAdminID = GetObject("WinNT://" & strComputer
"/" & adminAccount & ",user")
'Check for error and record in case of failed attempt
If Err Then
oSuccessReport.WriteLine strComputer & _
" Admin Password was reset."
'Close all open files
'Present yourself a message so you'll know its finished
wscript.echo("Password reset complete!")
wscript.echo("Please view the C:\scripts\lists\failures.txt")
wscript.echo("and c:\scripts\lists\success.txt files")
wscript.echo("to confirm that all passwords were")
oFailureReport.WriteLine strComputer & _
" could not be reset. Check that it is powered on." & _
Note that you can also download the script from my
Web site. The script
uses the standard output stream feature, which will only execute under
cscript. So to run the script, you will need copy it to a directory on
your system and ensure that it has the .vbs extension. Then, you will
need to open a command prompt, navigate to the folder containing the script
and run the command:
When the script runs, it will first prompt you for the local administrator
account name, which by default is “administrator.” Next, you
will be prompted for the new administrator account password. The text
you enter will be masked, so the cursor will not move and the password
that you enter will not display on the screen.
To mask the password, the script takes advantage of the ScriptPW COM
object. ScriptPW is loaded by default on Windows XP and Windows 2003.
If you’re running Windows 2000 or Windows Vista, you will need to
copy the scriptpw.dll file from the Windows\System32 folder of an XP system,
or Windows 2003 system to the Winnt\System32 or Windows\System32 folder
on your Windows 2000 or Vista system. Once the DLL has been copied, you
will need to register it by running the command:
To successfully register the DLL on a Vista machine, you will need to
open the command prompt as administrator. To do this, click Start | All
Programs | Accessories. Then right-click on the Command Prompt shortcut
and select “Run as administrator.” Once at the command prompt
as administrator, you’ll be able to successfully run the regsvr32
scriptpw.dll command to register the DLL.
Now that I’ve covered how the new password is collected, I’ll
get on to describing the remainder of the script. After the new password
is entered, you will be prompted to enter the distinguished name of the
OU containing the computers whose passwords you wish to reset. For example,
for the Development OU in the MCPmag.com domain, you would enter ou=development,dc=mcpmag,dc=com.
You could also use the script to reset the local administrator password
of all computers in the mcpmag.com domain by entering the distinguished
Now that the script has all of the needed information, it will query
Active Directory to collect a list of all computer accounts in the target
OU, and then attempt to connect to each computer and reset its local administrator
password. The script will output the results of its actions to the c:\scripts\lists\failed.txt
and c:\scripts\lists\success.txt files.
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at [email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Here is a sample of the script’s execution:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Enter the Administrator account name: administrator
Enter the new Administrator password:
Enter the Distinguished Name of the OU
(Example: ou=staff,dc=mcpmag,dc=com): ou=development,dc=mcpmag,dc=com
Password reset complete!
Please view the C:\scripts\lists\failures.txt
and c:\scripts\lists\success.txt files
to confirm that all passwords were
Hopefully this script will make your password management challenge a