Re: Password change script using group policy

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


"Jeffery Hicks" <jhicks@xxxxxxxxxx> wrote in message
news:eve59BgnHHA.4424@xxxxxxxxxxxxxxxxxxxxxxx
Vijesh Rajan wrote:
Hi,



We have more than 600 computers in our network and we want to change the
local administrator user name and password periodically and doing all
manually requires lot of time so we can one script to do that while
running this script it will rename the local administrator name and
password it detects the administrator with its SID.



Please find the script below of the mail.



Unfortunately this script is not working can some one help us to fine
tune this script and help us in term of how to use this script
effectively.



Thanks in advance.



Thanks & Regards,

Rajvilas.



..................Script File is here...........





------------------------------ Begining of
Script-----------------------------------------------------------



'script: "ModifyLocalAdministrator.vbs"


'*\\this visual basic script can:
' "Rename and reset the local Administrator account at startup"
'
'*\\characteristics of this scripting:
' "no need to publish the administrator password in this code"
' "no need to know the current logon name/passw for the
Administrator"

'
'This script must be runned trough a
'Computerconfiguration GPO
'Put this script in a folder called:
' \\'ADdomainname'\NetLogOn\StartUpScripts

'Edit the GPO that is linked_to -=or=-
'inherited_by the OU containing the workstations:
'+Computer Configuration/+Windows Settings/+Scripts/Startup
'click on [Add...]
'+------------------------------------------+
'|Scriptname:
'|
'ADdomainname'\SysVol\'FullDomainname'\StartUpScripts\ModifyLocalAdministrator.vbs
'|
'|Use Script Parameters:
'| /u:newNameAdministrator /p:newPass4LocalAdministrator
'+------------------------------------------+
'where:'ADdomainname' and 'FullDomainname' is the Active Directory Domain
name
' And: newNameAdministrator and newPass4LocalAdministrator are the new
credentials
' for the local administrator account to be set on each client
computer

'NOTE! /p:.... <--- must meet the domain or local password
requirements!!!
'


Option Explicit: Dim Named, sNewAdminName, sPasswrdAdmin
On Error Resume Next
Set Named = WScript.Arguments.Named
sNewAdminName = Null'>
sPasswrdAdmin = Null'>

If Named.Exists("u") Then sNewAdminName = Named.Item("u")
If Named.Exists("p") Then sPasswrdAdmin = Named.Item("p")

If Not IsNull(sNewAdminName & sPasswrdAdmin) Then
updateAdministrator()
Else
Err.Raise 100, WScript.ScriptName, "at least one parameter is
required"
End If

If Err.Number <> 0 Then ErrorSnd(Err.Number)
Err.Clear '(undo: err.raise )
sNewAdminName="<done"'successfully>
sPasswrdAdmin="<done"'successfully>

wscript.quit 0



Sub updateAdministrator()
Dim regEx, objWMIService, colAccounts, objAccount, objUser, getName
Set regEx = New RegExp
regEx.IgnoreCase = False
regEx.Pattern = "^S-1-5-21-\d{8,}-\d{8,}-\d{8,}-500$"
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
set colAccounts = objWMIService.ExecQuery("select * From
Win32_UserAccount" &_
" Where LocalAccount = TRUE")
For each objAccount in colAccounts
If regEx.Test(objAccount.SID) then
If Not IsNull(sPasswrdAdmin) Then
set objUser = GetObject("WinNT://./" & objAccount.Name)
objUser.SetPassword(sPasswrdAdmin)
End If
If Not IsNull(sNewAdminName) Then objAccount.Rename
sNewAdminName
exit Sub 'no need for continue searching
End If
Next
End Sub

Sub ErrorSnd(code)
Dim objShell, oWshEnvironment, strSoundFile
Set objShell = CreateObject("Wscript.Shell")
Set oWshEnvironment = objShell.Environment("Process")
strSoundFile = oWshEnvironment("SystemRoot") & "\media\Defsound.wav"
objShell.Run "sndrec32 /play /close " & chr(34) & strSoundFile &
chr(34), 0, False
Set objShell = Nothing
Set oWshEnvironment = Nothing
End Sub


--------------------------------- End of
Script-----------------------------------------------------------



Can you successfully run the script manually when logged on with admin
credentials? If not, what errors are you getting? You might need to
comment out On Error Resume Next so if there are errors you can see what
they are. You have to verify the script runs fine manually before you can
set it up as a computer start up script.

--
Jeffery Hicks
SAPIEN Technologies - Scripting, Simplified. www.SAPIEN.com
VBScript & Windows PowerShell Training -
www.ScriptingTraining.com/classes.asp
Windows PowerShell? - www.SAPIENPress.com/powershell.asp

blog: http://blog.SAPIEN.com
blog: http://jdhitsolutions.blogspot.com

It may be a typo, but the line:

\\'ADdomainname'\NetLogOn\StartUpScripts

raises an error. Otherwise, most of the script works for me (I commented out
the steps to change admin password and rename the account, but the rest
worked). I would remove "On Error Resume Next". If this is to run as a
startup script, there should be no need to trap the error if no parameters
are supplied.

Also, I don't think this will work on Vista clients. And I don't see steps
to ensure the script doesn't run repeatedly on each computer. In fact, the
statement to rename the administrator account could fail the second time the
startup script runs. You might want to use code similar to:

If Not IsNull(sNewAdminName) And (objAccount.Name <> sNewAdminName) Then
objAccount.Rename sNewAdminName

Or better yet would be a mechanism to recognize at the start that this has
already be run on the computer so exit immediately. Pershaps check for the
existence of the new administrator account name, or save a small text file
on the local computer and check for its existence.

Finally, I believe these steps could be performed in bulk remotely. You
would need to log which computers got the update and which did not (perhaps
because the machine was turned off). You would need to run the script a few
times until all machines go the update, perhaps reading computer names from
a text file. This would take some work, but the advantages are:

1. No chance of revealing administrator password.
2. Done immediately for most computers.
3. You know the state of the password on all computers. You have a log of
which computers still need the update.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: printuientry
    ... you could put it into a logon script. ... The error did not occur as a network administrator. ... I've tried several variations on the command syntax and can not get it ... >> printer is already defined on a "local port", ...
    (microsoft.public.win2000.printing)
  • Re: Renaming the local Administrator account on Windows XP Pro
    ... >> the local Administrator account with a randomly generated name. ... >> This will generate a random strong password for the local Administrator ... > The script below will generate a 15 characters long random user name ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Domain Users to have Local Admin rights
    ... make sure that your script works. ... this computer as local administrator and insert USB drive. ... startup script (e.g. OU policy or Default Domain Group Policy). ... Now close this windows and click on ...
    (microsoft.public.windows.server.security)
  • RE: Script or Other Method to Reboot
    ... > We need different privileges when using Shutdown command and shutdown the ... > that only administrator will use command to shutdown the computers. ... > we may need to compile the script. ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Cmd Line adding users, Im sure it has been asked but....
    ... I can run it as the domain admin. ... Why not just use the builtin Administrator account as the local ... Just run a script that sets the builtin administrator account name to ...
    (microsoft.public.win2000.cmdprompt.admin)