Reset Local Administrator Password on workstations

[Trammel]

Are you having to run around the workstations and change the local administrator password when someone leaves? Well you can do this from group policies. I found this information some time ago and can't remember where. So I can't take credit for this. Just started reading book two and now see that book 3 is available along with this web site.

1. Create a global security group and add all of you computer accounts to it.

2. Make a new GPO and call it Chgpwd or something like that. Link it to the OU with the machines you wish to change the local administrators password.

3. Go in to the security of the GPO, I believe it's the advanced button. Now you need to replace Authenticated users with the new security group you created with the computer accounts in it. Then check apply policy to this group. This makes it so users can't read this policy but the machines can

4. Make a batch file with this single line. NET USER Administrator %1 (please note that if you have set the policy to rename the local administrator account, you will need to change that line accordingly.) Then save this as a bat file.

5. Open your GPO and dig in to computer configuration>windows settings>scripts and double click startup. You will see a startup Properties window. Click add and you will get another popup window called Add a Script. (Please note that when you browse for your batch file. Be mindful of the path. I remember for some strange reason I had to copy the batch file in to the sysvol and down into that actual directory of where the policy resided on the DC.)

6. Script Parameters is where you enter the password you want.

Tip: Login scripts use user rights and startup or shutdown use System rights.

[AdamV]

Good tip!
"for some strange reason" - you need to copy the script file into the relevant GP folder inside sysvol so it gets replicated round all DCs. This avoids issues such as specifying a local path for it originally, or having it in a share which is potentially not open to all users.

One way to avoid having to worry about this so much is just to set a startup script (called "startup.cmd, for example) which you put in sysvol and this just calls another script from any share you like
\\YourDomain\netlogon is a very good option which uses the built-in DFS sharename, so it will always get pulled from a DC on the same site.

Then you do all the real work in this script instead. You can still pass parameters through by including %1 %2 %3...%9 in the line of startup.cmd which calls the other script. This will pass the first nine parameters straight on (and not care if fewer than nine or even zero are actually defined).

[kev147]

I have found today that this method of changing the local administrator password works on Windows XP machines, but not on Windows 2000.

Just thought I would let ppl know.

The Windows 2000 machines just gt stuck in a loop saying applying startup scripts.

The GPO only has this script within it and the scope is Domain Computers. The actual script is called ChangeLocalPwd.cmd and inside it has NET USER Administrator %1, then on the parameters to the script I have put the password (which mets complexity requirements)

Has anyone else managed to get this to work with Windows 2000 machines?

At the moment I am going to recommend that our comapny does this by the use of a VBScript only someone can advise how they get this method to work in Windows 2000.

[rk_kalady]

We too use a VB script to change local administrator password. It works well in Win XP/2000/2003. As we dont have any NT or pre-nt desktops I am cannot answer about its working in that platform.

[kev147]

Could you please post details of the solution that you use for Windows 2000, XP and 2003 machines

[RichardBateman]

I know that this is focused on GPO's, however you might check out the PsPasswd utility that Microsoft has acquired from its purchase of SysInternals (just go to www.sysinternals.com).

[steveh2001]

I know this post is old, but I really hope someone can help.

I am using the exact method detailed by Trammel to setup a local admin password with the exception of using "Domain Computers" rather then a custom group with the computers added to it. Reason being, I thought that then any new machines joined to the domain and in the particular OU would therefore inherit the polices. This did happen, however when you ran RSOP on the desktop, you could read the parameter with the password, unlike when you use a custom group and you cannot see the password...

I cant get my head round why!