Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Change local administrator password for all PCs in the domain

7 views
Skip to first unread message

Yimin Wei

unread,
Oct 26, 2005, 2:43:40 PM10/26/05
to
Lisa wrote:
> Hi there,
>
> I have about 200 workstations in my Windows 2000 domain. The workstations
> include Windows XP and 2k. How can I change all workstations local
> administrator password without going to the system to change them one by one?
> I don't want the startup script since the users won't restart their
> computers.
>
> Need help!
>
> Thanks in advance!
>
> Lisa

You can use a VBScript to do it.

'---------------
Set objOU = GetObject("LDAP://OU=YourOU, DC=example, DC=com")
objOU.Filter = Array("Computer")

For Each objItem in objOU
strComputer = objItem.CN
WScript.Echo strComputer
Set objUser = GetObject("WinNT://" & strComputer & _ "/Administrator")
objUser.SetPassword("newpassword")
Next
'----------------

Yimin Wei

Marty List

unread,
Oct 26, 2005, 3:00:54 PM10/26/05
to

"Lisa" <Li...@discussions.microsoft.com> wrote in message
news:FD7870C3-5BE2-4E03...@microsoft.com...

> Hi there,
>
> I have about 200 workstations in my Windows 2000 domain. The workstations
> include Windows XP and 2k. How can I change all workstations local
> administrator password without going to the system to change them one by one?
> I don't want the startup script since the users won't restart their
> computers.
>
> Need help!
>
> Thanks in advance!
>
> Lisa


Hi Lisa,

There are many ways to approach this, depending on your situation. First you
need to decide if you want this done as an automated process or a manual
process.

As an automated process, you could setup a custom script or Group Policy (in
Active Directory) where all machines get the latest password as they come
online. This basically requires domain membership, no workgroup machines. This
requires more work up front, but requires little or no work in the future.

Or you might prefer the approach of running the script periodically (whenever
you decide to change to a new password). You just have to decide how you want
to handle machines that are not online at the time you run the script. You
might need to keep running it again and again until you catch all machines.
This approach requires little work up front, but ongoing maintenance. If you
choose this method and don't find a script you like, check out my freeware tool
AccountManager:
http://www.optimumx.com/download/accountmanager.zip


Lisa

unread,
Oct 26, 2005, 3:09:03 PM10/26/05
to
Hi Yimin, thank you so much for your reply. I am new with VBS. Can you tell
me more details? I have a few questions:
1. Is this VBScript is for Group Policy startup script? But if users won't
restart their system, the password will not get changed. Right?
2. In the script, the only thing I need to modify is "newpassword", right?

Thanks again,

Lisa

Scott_FH

unread,
Oct 26, 2005, 4:50:01 PM10/26/05
to
I modified something i already wrote but this basically does what you want
off of an AD query. It needs error handling and logging. I did some on the
fly modifying for the post so i can't guarantee there are no errors but this
should get you going.

This script also changes the name of the adminstrator account to whatever
you want it to be. For security reasons it is a good idea that the
administrator account is not name "Administrator" also this uses the SID of
the Local Administrator account so if it is NOT named Administrator it will
still get the password changed and renamed.

'----------------------------------------------

option explicit
on error resume next

Const adUseClient = 3
Const sNewPassword = "NewLocalAdminPasswordHere"
Const sNewAdminName = "NewAdminAccountName"

'*connection variables
dim gobjConnection, gobjCommand
dim rsServers, strQuery

'* connect to AD

Set gobjConnection = CreateObject("ADODB.Connection")
gobjConnection.Provider = "ADsDSOObject"
gobjConnection.Open "Active Directory Provider"
gobjConnection.CursorLocation = adUseClient

Set gobjCommand = CreateObject("ADODB.Command")
Set gobjCommand.ActiveConnection = gobjConnection
gobjCommand.Properties("Page Size") = 1000

'*select attributes to fill recordset with
strQuery = "Select name From " & _
"'LDAP://dc=domain,dc=com' Where objectClass='computer'"

gobjCommand.CommandText = strQuery

'*fill recordset
rsServers = CreateObject("ADODB.RecordSet")
Set rsServers = gobjCommand.Execute

'* Call sub to change the password
Call ChangeLocalAdmin(rsServers)

'*
------------------------------------------------------------------------------------
'* Functions

Public Sub ChangeLocalAdmin(byRef rsComputerName)

on error resume next

dim strComputer, sLocalAdmin, objLocalAdmin, objComputer
dim objWMIService, objAccount, colAccounts

While NOT rsComputerName.EOF

'* Set local admin account name for computer ...
strComputer = _
rsComputerName.Fields.Item("Name").Value
Set objWMIService = GetObject( _
"winmgmts:\\" & strComputer & "\root\cimv2")

Set colAccounts = objWMIService.ExecQuery _
("Select * From Win32_UserAccount Where Domain = '" _
& strComputer & "'")
For Each objAccount in colAccounts
'* find administrator account from SID
If Left (objAccount.SID, 6) = "S-1-5-" _
and Right(objAccount.SID, 4) = "-500" Then
slocalAdmin = objAccount.Name
End If
Next

'* bind to local admin account
set objLocalAdmin = GetObject( _


"WinNT://" & strComputer & _

"/" & slocaladmin & ",user")

'* Password will be set too
objLocalAdmin.SetPassword SNewPassword
objLocalAdmin.SetInfo

'* bind to computer and rename admin account
Set objComputer = GetObject("WinNT://" & _
strComputer)

'* change local admin name here
objComputer.MoveHere objLocalAdmin.AdsPath, _
sNewAdminName

rsComputerName.MoveNext

Wend

end sub

Yimin Wei

unread,
Oct 26, 2005, 5:18:49 PM10/26/05
to
Lisa wrote:
> Hi Yimin, thank you so much for your reply. I am new with VBS. Can you tell
> me more details? I have a few questions:
> 1. Is this VBScript is for Group Policy startup script? But if users won't
> restart their system, the password will not get changed. Right?

The script is not a startup script. You need to run it using a Domain
Admin account. The computers need to be turned on when you run the
script, otherwise the admin password will not be changed.

> 2. In the script, the only thing I need to modify is "newpassword", right?
>

You also need to modify "LDAP://OU=YourOU, DC=example, DC=com".

Lisa

unread,
Oct 26, 2005, 5:50:03 PM10/26/05
to
Hi Marty,

Thank you so much for your reply. Can you tell me more detail for how to
approach this by Group Policy?

Thanks a lot!

Lisa

Lisa

unread,
Oct 26, 2005, 5:50:03 PM10/26/05
to
Thanks a lot!

Mike Miller

unread,
Oct 27, 2005, 7:59:11 AM10/27/05
to
In article <FD7870C3-5BE2-4E03...@microsoft.com>,
Li...@discussions.microsoft.com says...

> Hi there,
>
> I have about 200 workstations in my Windows 2000 domain. The workstations
> include Windows XP and 2k. How can I change all workstations local
> administrator password without going to the system to change them one by one?
> I don't want the startup script since the users won't restart their
> computers.
>
> Need help!
>
> Thanks in advance!
>
> Lisa
>
Get PsTools from http://www.sysinternals.com/Utilities/PsTools.html.
The pspasswd tool will do just what you want plus it has a number of other
goodies you will love.

--
Mike Miller
If all else fails - READ THE INSTRUCTIONS!
or if you like
"If all else fails - THROW HARDER" Robert Smith(pro bowler)

0 new messages