Re: Update local user password via GPO or script.
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 May 2007 13:15:34 -0500
A Startup script runs with System privileges on the local computer, so it
can reset local account passwords. Logon scripts run with the credentials of
the user so in general they cannot reset passwords.
A Startup script exposes the credentials, since users can read the script.
Even if you go to the trouble to protect the script so computer accounts can
read and execute, but users cannot, it is possible for users to assume the
privileges of a computer account. Also, a Startup script should have a way
to tell that the password has already been reset. This allows the script to
reset the password just once, plus may allow you to determine when you can
remove the script (once you know all computer accounts have had their
passwords reset). Finally, for awhile you will be in an unknown state. Some
computers will have the password reset, others not yet.
Another solution is to change the password remotely. By default, the group
"Domain Admins" is made a member of the local Administrators group when the
computer is joined to the domain. If your account is a member of "Domain
Admins", you can reset the password for local accounts yourself from any
client authenticated to the domain, as long as the remote computer is also
authenticated to the domain. You can write a script that changes the
password for a local account on all computers, logging which computers had
the password reset, and which did not (computer not online, you don't have
permission, etc.). The advantages of this method are:
1. You know what the password is on all computers.
2. The password is not exposed.
3. If the computers are online, it happens at once.
Your script can be a starting point, just replace the "." for the NetBIOS
name of a remote computer. You could write a script that reads NetBIOS names
from a text file and changes the password for all of them. Or you could
enumerate all computer objects in an OU (or even the domain) and run the
loop on all. Just make sure you skip Domain Controllers. A snippet to
enumerate all computers in an OU and change the password for a local user
could be similar to:
====================
' Specify password.
strPassword = "zqz321"
' Bind to OU.
Set objOU = GetObject("LDAP://ou=Sales,dc=MyDomain,dc=com";)
' Filter on objects of class computer.
objOU.Filter = Array("computer")
' Enumerate all computer objects in OU.
For Each objComputer In objOU
' Retrieve NetBIOS name of computer.
strComputer = objComputer.sAMAccountName
' Strip off trailing "$".
strComputer = Left(strComputer, Len(strComputer) - 1)
' Bind to local account on computer.
' On Error Resume Next
Set objUser = GetObject("WinNT://" & strComputer & "/LocalUser,user")
If (Err.Number <> 0) Then
Wscript.Echo "Unable to bind to user on " & strComputer
Else
' Set password.
objUser.SetPassword strPassword
If (Err.Number <> 0) Then
Wscript.Echo "Unable to set password on " & strComputer
Else
Wscript.Echo "Password reset on " & strComputer
End If
End If
On Error GoTo 0
Next
===========
Notice I only use "On Error Resume Next" for the statements I expect might
raise an error. Then if there is an error I handle it. Then I restore normal
error handling (with "On Error GoTo 0") so if something else raises an
unexpected error I have a chance to troubleshoot and fix it. Also, the
SetPassword method is immediate, so there is no need to invoke the SetInfo
method.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"TimM" <TimM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B4CC2B2A-4957-4187-A871-EEA1E057E749@xxxxxxxxxxxxxxxx
Well I plan (I hope) on pushing this as a computer startup/shutdown script
thru GPO. The message boxes are there only for show if needed and
currently
commented out. This is being used right now as a per-need basis from my
thumb
drive. But there is plans to use it to sync all local admin passwords
accross
the domain via GPO as stated. It's also going to be used as part of a PC
setup and config script once I have the rest of my ducks in a row.
But thank you very much for the link I'll have to visit your site as I
need
help thru my project.
--
Thanks
TimM
"\RemS" wrote:
"TimM" wrote:
Well it appears I have found my answer, see below if you are looking
too.
On Error Resume Next
strPassword = "xxxxxxx"
' Connect to local administrator user object
set objUser = getobject("WinNT://./accountname,user")
If objUser Then
' Change Password
objUser.SetPassword strPassword
objUser.SetInfo
' Create a message box displaying the results
'If result=0 Then
'MsgBox "The password change was successful"
'End If
'If result=1 Then
'MsgBox "The password was NOT changed"
'End If
End If
--
Thanks
TimM
Nice,
Are you planned to run this script as a 'Computer Startupscript' (you
cannot
use the MsgBoxes then) ? \because you cannot run this script as ' User
logonscript', users don't have the permissions to modify other accounts.
Keep in mind that if the vbscript is stored on a networkshare, users can
read its content so they can see the credentials of the administrator
account! It is better not to store the credentials in the script it self.
Instead of that, if you run the script via GPO, you have the possibility
to
store the credentials in the GPO by using the scriptparameters (and use
them
as script 'arguments' in vbs).
Your script is looking for a local account named Administrator, but what
if
someone renamed that account? Therefore, instead of using the name, you
could
also use the unique part of the SID of a local Administrator to identify
the
Administratoraccount.
examples:
http://www.petri.co.il/forums/showthread.php?t=13750
\Rems
.
- References:
- Prev by Date: Re: UTC Time
- Next by Date: Re: Write Variable to .mdb
- Previous by thread: RE: Update local user password via GPO or script.
- Next by thread: Re: Default Printer Enumeration
- Index(es):
Relevant Pages
|
