Automated changing of local admin password on workstations?

B

Barkley Bees

We want to ensure that all workstations (XP/2000) in our Active Directory
environment have their local Administrator passwords set to our specified
value. What would be the best way (best practice) to implement this
(Logon/Startup script, GPO, SMS, etc)? Appreciate any advice.
 
F

Florian Frommherz [MVP]

Howdie!

Barkley said:
We want to ensure that all workstations (XP/2000) in our Active Directory
environment have their local Administrator passwords set to our specified
value. What would be the best way (best practice) to implement this
(Logon/Startup script, GPO, SMS, etc)? Appreciate any advice.
Click to expand...

Try to not script that with Group Policy - you'd have to put the
password in plain text into the script. When scripting, use the %1
parameter to pass the password as a parameter to the script - that way
it won't stick there in plain text.

There are a few tools out there you might want to use.. PsPwd is one of
them I guess - other scripts from the scripting guys are around.

cheers,

Florian
 
P

Paul Bergson [MVP-DS]

We run a remote script and push it out to all workstations. You don't want
to run it as a login script because you can see the password. We just read
all workstations from the root of the domain and run a script, we kick out
an error report of all machines that don't connect.

http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
L

Lanwench [MVP - Exchange]

Florian Frommherz said:
Howdie!



Try to not script that with Group Policy - you'd have to put the
password in plain text into the script.
Click to expand...

My two cents? I know it's officially "bad practice," but since I do this as
a startup script nobody can see it, and the script itself is stored in a
location nobody but me/admins can access anyway, so I guess I don't
personally worry about it that much - esp. as it's only for local accounts
on workstations. :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Admin Password change script for Domain PC's 10
Problems with 'startup script' running via GPO. 1
Easy question on the local admin passwords 8
Local admin accounts gone haywire 8
Removing domain local groups from Wind XP local administrators group 7
preventing users from changing time on the workstations 2
How to change administrator passwords? 2
Changing local Administrator account password 2

Top