Re: How can I change the admin password of all our XP PC's on the doma

And, if you rename the account, the users you want not to have the credentials can't tell that the admin account has been renamed by looking in computer management or asking some other friendly admin? Remember, your former passwords got shared. "Root cause" is still there.
If you also have a lock down policy so these computers can only be used for certain purposes and users do not install anything on their machines, you have a way out.
But from my experience, if you have a large enough set of users, and Admins (they are also part of this problem), you need to Actively manage local admin passwords. A rename is more "Security Theatre" in the event of a credible threat because the SIDs what's gone after and that wont change.

Regards,

Austin

"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message news:A8195110-A9EB-49CD-89F7-C5A455D68247@xxxxxxxxxxxxxxxx
This looks like a quick fix for now?

http://support.microsoft.com/kb/816109


"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message news:yI8Ti.3953$TY4.3104@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Cyborg,

You've got a problem thats really not very easy to solve (read cheap).
You have this problem because it is the nature of all but the least
inquisitive of users to want to be admins on their workstations.
If you dont give the user accounts admin privilages, they go for the local
admin account.
Now, your next problem is how do you manage the local admin account? Do you
set the same one on all workstations?
If you do that, all that needs happen is one user finding out and "word gets
around" or the document that "holds" the password gets into the wrong hands.
Regular use of the password even makes it more insecure. Will you change it
regularly on all workstations? A real procedural nightmare depending on the
size of your estate.
If you have different passwords for different workstatins, how do you
provide ready access to admins who require it?
Several home grown Apps exist which derive an admin password from the
workstation name based on some algorithm but securing the tool becomes the issue and usually, it doesnt take a rocket scientis to reverse engineer them.
So you decide to pay for some Enterprise Class tool to do this for you if especially you have thousands of boxes to visit. And there companies out there who wite apps for just that.
As an example ( not a recomendation by any way, shape or form), see: http://www.liebsoft.com/index.cfm/products?id=512.

HTH,

Austin



"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:B3A473D8-D40D-4ED0-B3E8-4A034552684F@xxxxxxxxxxxxxxxx
Hi this is great, do I need to change anything in this script apart form
the "testpassword"

I take it I can then add the script to the logon part of the doamin group
policy?


"Simon" <Simon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55FB500B-675B-426B-9E75-F3954A30DA2B@xxxxxxxxxxxxxxxx
try this as part of a logon/startup script:

strComputer = "MyComputer"
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,
user")
objUser.SetPassword "testpassword"
objUser.SetInfo

To make it more generic, you will need to set the script to get the pc's
computer name before trying to change the password.

"Cyborg" wrote:

Somehow many of our users know the local admin password for our XP
machines,
is there a way to change this on all PC's to something else, like a
group
policy?








.

Relevant Pages

  • Re: How can I change the admin password of all our XP PCs on the doma
    ... If the box has a problem that means you can't use a domain admin account to logon, it is usually quicker to rebuild than troubleshoot. ... Laptops will present special requirements that may make you want to bend the rules for them but I think the idea of disabling the local admin account has its merits. ... If you want to control the Local Administrators on the workstations, just disable the Local Administrator, and then use another GPO or Script that adds a existing security group in your AD as member of the local Administrators on the workstations. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How can I change the admin password of all our XP PCs on the
    ... inquisitive of users to want to be admins on their workstations. ... If you dont give the user accounts admin privilages, ... your next problem is how do you manage the local admin account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: How can I change the admin password of all our XP PCs on the
    ... inquisitive of users to want to be admins on their workstations. ... If you dont give the user accounts admin privilages, ... your next problem is how do you manage the local admin account? ... I take it I can then add the script to the logon part of the doamin group ...
    (microsoft.public.windows.server.active_directory)
  • Re: How can I change the admin password of all our XP PCs on the doma
    ... If you want to control the Local Administrators on the workstations, ... credentials can't tell that the admin account has been renamed by ... looking in computer management or asking some other friendly admin? ...
    (microsoft.public.windows.server.active_directory)
  • Re: writing to registry in vista from guest account
    ... Once again, I bring you back to *Virtualization* on Vista, because based on each user, they will have their own VirtualStore in the registry or in case of something happening with the file-system such as a folder. ... By making your application to work with Standard user rights, no UAC escalation or prompt is required for the solution to execute. ... You also don't need a manifest for the application, if it's made to run with Standard user rights and not Admin user rights. ... Like I said, even with UAC disabled, your user admin account is not an account that has full admin rights on Vista. ...
    (microsoft.public.dotnet.languages.csharp)
Loading