Change Local Administrator Password thru GPO
-
Saturday, August 09, 2008 6:10 PMIs there a way that thru GPO, all Local Administrator password will be changed?
All Replies
-
Sunday, August 10, 2008 9:05 AM There's no built-in Group Policy setting that can change the local administrator's password for you.
However:
- There is a Group Policy Preference (GPP) that can do it for you
Changing the local Administrator password on domain members has become pretty easy with the advent of Group Policy Preferences.
Start the Group Policy snap-in, expand Computer Configuration, expand Preferences, click Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User. Select Update as the action, type Administrator into the User name text box, then type the new password into the Password text box, confirming the password in Confirm Password text box. Press OK.
More information:
- Introducing Group Policy Preferences
- Download details: Group Policy Preferences Overview
- Top 5 Security Settings in Group Policy for Windows Server 2008
Note:
Windows Server 2008 is not strictly needed for Group Policy Preferences.
- You can script it
This script will change your local Administrators passwords to the one you specify. (Note that you'll need to encrypt this one using Microsoft script encrypter if your users shouldn't be able to read it in clear text.)
Set WshNetwork = WScript.CreateObject("WScript.Network")
strComputer = "."Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user") objUser.SetPassword "NEW.PASSWORD" ' Enter new password between brackets objUser.SetInfo
Best way to use this script is to run it using the Startup script option in a Group Policy object, since these scripts run with the credentials of the Local System account.
Start the Group Policy snap-in, expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), and then in the right pane, add a script.- Marked As Answer by Miles LiModerator Wednesday, August 13, 2008 4:47 AM
- There is a Group Policy Preference (GPP) that can do it for you
-
Tuesday, August 19, 2008 4:27 AMSander Berkouwer said:
- You can script it
This script will change your local Administrators passwords to the one you specify. (Note that you'll need to encrypt this one using Microsoft script encrypter if your users shouldn't be able to read it in clear text.)
Set WshNetwork = WScript.CreateObject("WScript.Network")
strComputer = "."Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user") objUser.SetPassword "NEW.PASSWORD" ' Enter new password between brackets objUser.SetInfo
Best way to use this script is to run it using the Startup script option in a Group Policy object, since these scripts run with the credentials of the Local System account.
Start the Group Policy snap-in, expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), and then in the right pane, add a script.
Where can I get the Microsoft script encrypter? - You can script it
-
Tuesday, August 19, 2008 5:45 AMHowdie!
mpMS said:
Where can I get the Microsoft script encrypter?
http://msdn.microsoft.com/en-us/library/xw61tsx7(VS.85).aspx
http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en
But I encourage you to use the Preferences. You'll get rid of a lot more scripting solution than just that.
http://www.frickelsoft.net/blog/?p=116
cheers,
Florian
Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog -
Tuesday, August 19, 2008 2:09 PMCant get it. Can you post sample guide on how to assign Administrator password?
-
Monday, August 25, 2008 6:51 AMWhat part are you unsure of? The last steps of the configuration are explained here: http://www.frickelsoft.net/blog/?p=116. You go create a new OU in Active Directory Users and Computer and put the AD computer accounts you want to change the Admin password on into that OU. You open GPMC.msc and navigate to the newly created OU. Create a new GPO and configure the GPPreference setting as explained in my article.
Did that work for you?
Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog -
Tuesday, December 01, 2009 4:47 PMHow secure are each of these two options? With the script option it would seem that everyone who could get access to the script would be able to see the password. Also, even the script encoder option (it is NOT an encryptor) only really keeps the script from casual prying eyes.
How about the GPP? Is the password captured in the GPP as recoverable plaintext? -
Tuesday, December 01, 2009 9:28 PM
How secure are each of these two options? With the script option it would seem that everyone who could get access to the script would be able to see the password. Also, even the script encoder option (it is NOT an encryptor) only really keeps the script from casual prying eyes.
That's true.
How about the GPP? Is the password captured in the GPP as recoverable plaintext?
No. The cpassword part is hashed in the preference.
You can check this if you'd like in the SYSVOL. -
Thursday, June 17, 2010 5:12 AM
Hi Sander
I just stumbled on this. Do we really need to script it? Because looking from the link below, it does not require scripting.
http://blogs.technet.com/b/jratsch/archive/2009/03/27/how-to-change-the-password-for-the-local-administrator-account-on-multiple-machines-the-easy-way-without-scripting.aspx -
Thursday, June 17, 2010 8:55 PM
Hi,
Am 17.06.2010 07:12, schrieb cyw77:
I just stumbled on this. Do we really need to script it?
No, you can use the Group Policy Preferences to do that.
Mark
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
NNTP Bridge: http://communitybridge.codeplex.com/releases -
Friday, June 18, 2010 4:56 AMOk. Not sure why Sander recommends to script it for the password. Was that feature not available to him when he recommends the scripting?
-
Friday, June 25, 2010 6:43 AM
Ok. Not sure why Sander recommends to script it for the password. Was that feature not available to him when he recommends the scripting?
When you look at my original post, you'll find that I offered two solutions.
One of the solutions is using Group Policy Preferences, which is the same solution as you stumbled upon.The choice between using Group Policy Preferences and using the script is pretty easy:
- If you're running Windows 2000 Professional machines in your Active Directory environment, the Group Policy Preferences are not available. You'll need to use the script.
- If you're running Windows XP Professional machines in your Active Directory environment, the Group Policy Preferences need to be installed onto all the machines before you can use the Group Policy Preferences. Windows Vista and Windows 7 have the Group Policy Preferences installed and enabled by default.
- If you need advanced reporting, you'll need to use the script, since the Group Policy Preferences do not offer reporting. On the other hand, by the time you need true reporting, you'll be looking at System Center Configuration Manager (SCCM) and have whole other means to change the settings on all the client machines.
-
Friday, July 30, 2010 7:43 PM
Sander,
I am on a XP machine trying to edit a test GPO like you mentioned, but I do not see any "Preferences" under Computer Configuration.
I have "Group Policy Preference Client Side Extensions for Windows XP" installed on my machine. Am I missing something?
-
Tuesday, August 03, 2010 6:36 PM
You will need to use the Group Policy Management Console (GPMC) from Windows Vista SP1 or Windows 7 to be able to manage Group Policy Preferences. Once configured, your Windows XP clients will pick them up.Sander,
I am on a XP machine trying to edit a test GPO like you mentioned, but I do not see any "Preferences" under Computer Configuration.
I have "Group Policy Preference Client Side Extensions for Windows XP" installed on my machine. Am I missing something?
-
Tuesday, August 03, 2010 9:55 PM
Just incase you had any questions here are some post I have done that answer your questions...
1. How to use Group Policy Preferences to Secure Local Administrator Groups
2. How to use Group Policy Preferences to change account Passwords (This article show you how to mitigate the security issues with changes local accounts password using GPP)
Hope it helps...
Alan Burchill (MVP)
http://www.grouppolicy.biz- Edited by Alan BurchillMVP Tuesday, August 03, 2010 9:55 PM typo
- Proposed As Answer by Alan BurchillMVP Thursday, August 11, 2011 10:11 AM
-
Monday, September 06, 2010 8:36 PM
How secure are each of these two options? With the script option it would seem that everyone who could get access to the script would be able to see the password. Also, even the script encoder option (it is NOT an encryptor) only really keeps the script from casual prying eyes.
How about the GPP? Is the password captured in the GPP as recoverable plaintext?
It seems to me that you can simply deny view rights to all of the users that you don't want to have access to the password script. If I'm not mistaken, a domain computer will still run the script as part of it's startup routine even if all of the domain users are denied. -
Monday, September 06, 2010 8:40 PM
It seems to me that you can simply deny view rights to all of the users that you don't want to have access to the password script. If I'm not mistaken, a domain computer will still run the script as part of it's startup routine even if all of the domain users are denied.
You don't want to do that. If I'm admin on my box (and there probably are local admins on your boxes _somewhere_, I can read that file. There are ways I can run commands as the "local system" and therefore as a domain computer. If I can run commands in the system's context, I can read the file.You could try to encode the the password script if its VBScript. Not sure if that's a secure enough solution, though.
Cheers,
Florian
Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog) -
Tuesday, October 05, 2010 10:28 AMHi This script will run without admin rights from GPO.
-
Tuesday, October 05, 2010 10:29 AM
Hi,
I want Change all local admin password in my network.if i use the above script is it require admin rights on each client machine.
Please help me.
By Ashok.
-
Sunday, October 17, 2010 6:15 AMHi.i want to change the local administrator password through gpu in my domain environment iam following the step as you written but i cant see (Computer Configuration, expand Preferences, click Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User . thanks
-
Friday, December 03, 2010 8:01 AM
Hi,
This works fine for Windows Vista and Windows 7 but for Windows Xp, this is not effective.
-
Tuesday, January 18, 2011 8:28 PM
This works for some of the XP computers and some it does not... it's so strange.
The GPO shows applied under gpresult but it doesn't actually make the change???Any ideas?
Regards,
DEMPC -
Monday, February 07, 2011 5:55 AM
I am also lookint at option where I can change local admin account passwrod across the network on periodically basis.
Any help / suggesations welcome
-
Tuesday, April 19, 2011 5:31 AM
make sure KB943729 Group Policy Preference Client Side Extensions for WIndows XP is installed.
I had the same problem. after installing it worked a charm.
-
Friday, May 20, 2011 11:09 AM
do not change local admin password
-
Friday, May 20, 2011 11:12 AM
i am creat in user in ou but right in administrator but user change local admin password
-
Friday, May 20, 2011 2:49 PM
Just incase you had any questions here are some post I have done that answer your questions...
1. How to use Group Policy Preferences to Secure Local Administrator Groups
2. How to use Group Policy Preferences to change account Passwords (This article show you how to mitigate the security issues with changes local accounts password using GPP)
Hope it helps...
Alan Burchill (MVP)
http://www.grouppolicy.biz
Nice and clear. Thanks for the links!- Proposed As Answer by Alan BurchillMVP Thursday, August 11, 2011 10:11 AM
-
Thursday, August 11, 2011 10:17 AM
Here is a link to a blog post i have done that show how you can change the password for local account... it also covers ways to mitigate having it as a standing setting applied which can reveal the password as it is store in SYSVOL which is easly readable... Best Practice: How to use Group Policy Preferences to change account Passwords
Hope it helps
Alan Burchill (MVP)
http://www.grouppolicy.biz
Follow me on twitter @alanburchill- Proposed As Answer by Alan BurchillMVP Thursday, August 11, 2011 10:17 AM
-
Tuesday, May 22, 2012 3:11 AM
there is one feature in synergix ad client extensions software that will manage built-in administrator account passwords. encrypted passwords are stored in active directory. here's an extract from their website ....
With AD Client Extensions, Built-in Administrator account passwords are system generated and stored in Active Directory. Passwords are validated regularly and reset to maintain the integrity. The password vault is infallible to the extend of AD Domain Infrastructure
-
Thursday, August 23, 2012 7:35 AM
Yes its possible, pls try this way, it'll work.
Regards,
Robs
-
Wednesday, March 27, 2013 3:53 PMI can't seem to get this to work with windows 8. It has been working with our XP and 7 machines, but the first windows 8 box can seem to set the administrator password. It was able to created a new user, it just can't seem to change the administrator local account.
.png)
