Just out of curiosity, how many people are actually still using local administrator on the computer? I used a batch file to disable the local administrator on every one of our computers since Domain Admins is already on the local admin group. Seemed to be a much better approach to me.<\/p>\n<\/blockquote>\n
What happens if for any numbers of reasons the computer is no longer on the domain with this option?<\/p>","upvoteCount":0,"datePublished":"2011-03-25T13:41:21.000Z","url":"https://community.spiceworks.com/t/change-local-admin-password/82750/13","author":{"@type":"Person","name":"josh-cunning","url":"https://community.spiceworks.com/u/josh-cunning"}},{"@type":"Answer","text":"
ah after re-reading this stuff I missed that GPP is something I need to have installed on my DC. I will look more into it.<\/p>","upvoteCount":0,"datePublished":"2011-03-25T16:03:04.000Z","url":"https://community.spiceworks.com/t/change-local-admin-password/82750/14","author":{"@type":"Person","name":"robbarr3000","url":"https://community.spiceworks.com/u/robbarr3000"}},{"@type":"Answer","text":"
\nyou could try a gp(computer configuration), with a startup script that is in a bat file and goes like this<\/p>\n
@ECHO<\/span> OFFyou have to be carefull wiht ntfs permissions over the bat file, that could be problem you had the first time<\/p>\n<\/blockquote>\n
this looks like my script minus the exit and I went back and double checked the permissions and it seems to be fine they are the same as the 2 other login scripts that I have running and they all work.<\/p>","upvoteCount":0,"datePublished":"2011-03-25T16:05:06.000Z","url":"https://community.spiceworks.com/t/change-local-admin-password/82750/15","author":{"@type":"Person","name":"robbarr3000","url":"https://community.spiceworks.com/u/robbarr3000"}},{"@type":"Answer","text":"
Thanks guys I got it sorted out. And now I have a cool new side of the AD to look into. Thanks for that too.<\/p>","upvoteCount":0,"datePublished":"2011-03-25T22:54:31.000Z","url":"https://community.spiceworks.com/t/change-local-admin-password/82750/16","author":{"@type":"Person","name":"robbarr3000","url":"https://community.spiceworks.com/u/robbarr3000"}}]}}
So we have had our local admin password get out due to the loose tongue of a colleague and I need to change it. Now going to a couple hundred machines is not my idea of a great way to spend the weekend. Does anyone have any ideas on a script that I can run on startup to change the password for the local administrator account. What I tried was
net user username password
as a batch file and put that in the startup scripts of my domain. It did not work though.
4 Spice ups
tim7139
March 25, 2011, 10:51am
2
You can set Local Admin Password in GP, that’s your easiest.
You can use a batch file and dos commands, VB script, or powershell from the server or from the local workstations.
tim7139
March 25, 2011, 10:52am
3
Another options would be PsPasswd from SysInternals:
you could try a gp(computer configuration), with a startup script that is in a bat file and goes like this
@ECHO OFF
you have to be carefull wiht ntfs permissions over the bat file, that could be problem you had the first time
+1 for what Tim7139 said. Use Group Policy Preferences (if you can) to reset the local administrator password, it will affect every machine when next they refresh policies.
dsentelle
March 25, 2011, 11:19am
7
+1 to Tim. NOW I’ve got a reason to implement GPP. (Though that script in their posting appears to be allright withoug GPP)
Just out of curiosity, how many people are actually still using local administrator on the computer? I used a batch file to disable the local administrator on every one of our computers since Domain Admins is already on the local admin group. Seemed to be a much better approach to me.
David Esteban2759 wrote:
you could try a gp(computer configuration), with a startup script that is in a bat file and goes like this
@ECHO OFF
you have to be carefull wiht ntfs permissions over the bat file, that could be problem you had the first time
The only problem with this is you have that password stored on a network share that everyone has access to, in plain text. Granted you would have to know it’s there to look for it, but keep that in mind.
I will throw out my vote for GP.
Tim7139 wrote:
You can set Local Admin Password in GP, that’s your easiest.
You can use a batch file and dos commands, VB script, or powershell from the server or from the local workstations.
I seem to be overlooking the password in GP I see where I can rename the admin account in the security options of the computer config. which I have done but I have not found a set password entry. This is AD2k3 btw.
tim7139
March 25, 2011, 12:31pm
11
You have to keep reading the discussion for the 2003 GPO info,you will see How to use Group Policy Preferences to change account Passwords – Group Policy Central that has the screen shots that should help you find the OU, but I don’t recommend changing other items they refer to or removing the policy, but to each their own.
Hi, My name is Mark, and I have an AD2K domain…
create a new GP, then edit it and go to:
Computer Configuration>Preferences>Control Panel Settings>Local Users nd Groups
create a new entry by right-clicking, action: Update
Select Username (Administrator built-in)
fill out any fields (I only did password & confirm password) which show up as ***** and I believe are stored as a hash, or in any case NOT plain text and then click OK.
Assign the GP to your whole domain and that’s pretty much it.
The only thing you have to watch out for is that GPP is not built-in to XP, but there’s a Windows Update that installs it. I think it was called “CLient Side Group Policy Preferenes client” or something like that. It should be in your WSUS catalog already if you use it, or import it into whatever you use for patch management and ensure it’s on the machines before you push out the GPP policy.
This was a really good description of some of the stuff you can do with GPP:
Richard catches Alan Burchill while at Tech Ed New Zealand. Alan digs into the new Group Policy Preferences features introduced with Windows 7 and Windows Server 2008 R2 but available for XP, Vista, even Server 2000...
It was after listening to this podcast that I rolled up my sleeves and tried it out. There are some other shows in their archive with Jeremy Moskowitz, too about troubleshooting GPO and GPP.
Rusty4508 wrote:
Just out of curiosity, how many people are actually still using local administrator on the computer? I used a batch file to disable the local administrator on every one of our computers since Domain Admins is already on the local admin group. Seemed to be a much better approach to me.
What happens if for any numbers of reasons the computer is no longer on the domain with this option?
ah after re-reading this stuff I missed that GPP is something I need to have installed on my DC. I will look more into it.
David Esteban2759 wrote:
you could try a gp(computer configuration), with a startup script that is in a bat file and goes like this
@ECHO OFF
you have to be carefull wiht ntfs permissions over the bat file, that could be problem you had the first time
this looks like my script minus the exit and I went back and double checked the permissions and it seems to be fine they are the same as the 2 other login scripts that I have running and they all work.
Thanks guys I got it sorted out. And now I have a cool new side of the AD to look into. Thanks for that too.
![\":slight_smile:\"](\"https://emoji.discourse-cdn.com/twitter/slight_smile.png?v=12\" "\\":slight_smile:\\"")
<\/p>\n