Re: How can I change the admin password of all our XP PC's on the doma

Cyborg, I don't think that you should spend money on any kind of software to
do what you want.
If you want to control the Local Administrators on the workstations, just
disable the Local Administrator (you can do this using GPO, as I already
mentioned before), and then use another GPO or Script that adds a existing
security group in your AD as member of the local Administrators on the
workstations.
To finish, add only the users that you think that should be members of local
administrators on the workstations.
--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:F475B711-F46F-4167-A11C-306F61642FFD@xxxxxxxxxxxxxxxx
Is there a command line method to reset it as we can get LANDesk to run
the script against any PC?

"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:uWj98ZZFIHA.5272@xxxxxxxxxxxxxxxxxxxxxxx
My point exactly!
Because of the complexities involved, people sell you Enterprise Class
software that helps you address the issues.
For example: http://www.liebsoft.com/index.cfm/products?id=378
Hence my initial statement that it's not an exactly straight forward or
cheap to fix this.

Regards,

Austin


"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:FA163985-AED2-443D-9F67-DF8A53A6287C@xxxxxxxxxxxxxxxx
How exactly do you manage it then?


"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:EE51F3C3-B622-4BE0-A6AA-E91B3D1CBF3A@xxxxxxxxxxxxxxxx
And, if you rename the account, the users you want not to have the
credentials can't tell that the admin account has been renamed by
looking in computer management or asking some other friendly admin?
Remember, your former passwords got shared. "Root cause" is still
there.
If you also have a lock down policy so these computers can only be used
for certain purposes and users do not install anything on their
machines, you have a way out.
But from my experience, if you have a large enough set of users, and
Admins (they are also part of this problem), you need to Actively
manage local admin passwords. A rename is more "Security Theatre" in
the event of a credible threat because the SIDs what's gone after and
that wont change.

Regards,

Austin

"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:A8195110-A9EB-49CD-89F7-C5A455D68247@xxxxxxxxxxxxxxxx
This looks like a quick fix for now?

http://support.microsoft.com/kb/816109


"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:yI8Ti.3953$TY4.3104@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Cyborg,

You've got a problem thats really not very easy to solve (read
cheap).
You have this problem because it is the nature of all but the least
inquisitive of users to want to be admins on their workstations.
If you dont give the user accounts admin privilages, they go for the
local
admin account.
Now, your next problem is how do you manage the local admin account?
Do you
set the same one on all workstations?
If you do that, all that needs happen is one user finding out and
"word gets
around" or the document that "holds" the password gets into the wrong
hands.
Regular use of the password even makes it more insecure. Will you
change it
regularly on all workstations? A real procedural nightmare depending
on the
size of your estate.
If you have different passwords for different workstatins, how do you
provide ready access to admins who require it?
Several home grown Apps exist which derive an admin password from the
workstation name based on some algorithm but securing the tool
becomes the issue and usually, it doesnt take a rocket scientis to
reverse engineer them.
So you decide to pay for some Enterprise Class tool to do this for
you if especially you have thousands of boxes to visit. And there
companies out there who wite apps for just that.
As an example ( not a recomendation by any way, shape or form), see:
http://www.liebsoft.com/index.cfm/products?id=512.

HTH,

Austin



"Cyborg" <andrewwhite@xxxxxxxxxxxxxx> wrote in message
news:B3A473D8-D40D-4ED0-B3E8-4A034552684F@xxxxxxxxxxxxxxxx
Hi this is great, do I need to change anything in this script apart
form
the "testpassword"

I take it I can then add the script to the logon part of the doamin
group
policy?


"Simon" <Simon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55FB500B-675B-426B-9E75-F3954A30DA2B@xxxxxxxxxxxxxxxx
try this as part of a logon/startup script:

strComputer = "MyComputer"
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,
user")
objUser.SetPassword "testpassword"
objUser.SetInfo

To make it more generic, you will need to set the script to get the
pc's
computer name before trying to change the password.

"Cyborg" wrote:

Somehow many of our users know the local admin password for our XP
machines,
is there a way to change this on all PC's to something else, like
a
group
policy?













.

Relevant Pages

  • Re: How can I change the admin password of all our XP PCs on the doma
    ... You don't go to each workstation and check if that user changed the local admin password. ... If the box has a problem that means you can't use a domain admin account to logon, it is usually quicker to rebuild than troubleshoot. ... If you want to control the Local Administrators on the workstations, just disable the Local Administrator, and then use another GPO or Script that adds a existing security group in your AD as member of the local Administrators on the workstations. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How can I change the admin password of all our XP PCs on the doma
    ... If the box has a problem that means you can't use a domain admin account to logon, it is usually quicker to rebuild than troubleshoot. ... Laptops will present special requirements that may make you want to bend the rules for them but I think the idea of disabling the local admin account has its merits. ... If you want to control the Local Administrators on the workstations, just disable the Local Administrator, and then use another GPO or Script that adds a existing security group in your AD as member of the local Administrators on the workstations. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How can I change the admin password of all our XP PCs on the
    ... inquisitive of users to want to be admins on their workstations. ... If you dont give the user accounts admin privilages, ... your next problem is how do you manage the local admin account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: How can I change the admin password of all our XP PCs on the
    ... inquisitive of users to want to be admins on their workstations. ... If you dont give the user accounts admin privilages, ... your next problem is how do you manage the local admin account? ... I take it I can then add the script to the logon part of the doamin group ...
    (microsoft.public.windows.server.active_directory)
  • Re: How can I change the admin password of all our XP PCs on the doma
    ... I believe that for a domain joined workstation, disable the local admin ... means you can't use a domain admin account to logon, ... If you want to control the Local Administrators on the workstations, ... the script against any PC? ...
    (microsoft.public.windows.server.active_directory)