none
Change Local Administrator Password thru GPO

Answers

  • There's no built-in Group Policy setting that can change the local administrator's password for you.
       
    However:
         
    1. There is a Group Policy Preference (GPP) that can do it for you
      Changing the local Administrator password on domain members has become pretty easy with the advent of Group Policy Preferences.
          
      Start the Group Policy snap-in, expand Computer Configuration, expand Preferences, click Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User.  Select Update as the action, type Administrator into the User name text box, then type the new password into the Password text box, confirming the password in Confirm Password text box. Press OK.
         
      More information:
          
      1. Introducing Group Policy Preferences
      2. Download details: Group Policy Preferences Overview
      3. Top 5 Security Settings in Group Policy for Windows Server 2008
           

      Note:
      Windows Server 2008 is not strictly needed for Group Policy Preferences.
               

    2. You can script it
      This script will change your local Administrators passwords to the one you specify. (Note that you'll need to encrypt this one using Microsoft script encrypter if your users shouldn't be able to read it in clear text.)
          
    Set WshNetwork = WScript.CreateObject("WScript.Network")
    strComputer =
    "."
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user")
    objUser.SetPassword "NEW.PASSWORD" ' Enter new password between brackets
    objUser.SetInfo

        
    Best way to use this script is  to run it using the Startup script option in a Group Policy object, since these scripts run with the credentials of the Local System account.
    Start the Group Policy snap-in, expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), and then in the right pane, add a script.

    Sunday, August 10, 2008 9:05 AM

All replies

  • There's no built-in Group Policy setting that can change the local administrator's password for you.
       
    However:
         
    1. There is a Group Policy Preference (GPP) that can do it for you
      Changing the local Administrator password on domain members has become pretty easy with the advent of Group Policy Preferences.
          
      Start the Group Policy snap-in, expand Computer Configuration, expand Preferences, click Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User.  Select Update as the action, type Administrator into the User name text box, then type the new password into the Password text box, confirming the password in Confirm Password text box. Press OK.
         
      More information:
          
      1. Introducing Group Policy Preferences
      2. Download details: Group Policy Preferences Overview
      3. Top 5 Security Settings in Group Policy for Windows Server 2008
           

      Note:
      Windows Server 2008 is not strictly needed for Group Policy Preferences.
               

    2. You can script it
      This script will change your local Administrators passwords to the one you specify. (Note that you'll need to encrypt this one using Microsoft script encrypter if your users shouldn't be able to read it in clear text.)
          
    Set WshNetwork = WScript.CreateObject("WScript.Network")
    strComputer =
    "."
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user")
    objUser.SetPassword "NEW.PASSWORD" ' Enter new password between brackets
    objUser.SetInfo

        
    Best way to use this script is  to run it using the Startup script option in a Group Policy object, since these scripts run with the credentials of the Local System account.
    Start the Group Policy snap-in, expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), and then in the right pane, add a script.

    Sunday, August 10, 2008 9:05 AM
  • Sander Berkouwer said:

            

    1. You can script it
      This script will change your local Administrators passwords to the one you specify. (Note that you'll need to encrypt this one using Microsoft script encrypter if your users shouldn't be able to read it in clear text.)
          
    Set WshNetwork = WScript.CreateObject("WScript.Network")
    strComputer =
    "."
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user")
    objUser.SetPassword "NEW.PASSWORD" ' Enter new password between brackets
    objUser.SetInfo

        
    Best way to use this script is  to run it using the Startup script option in a Group Policy object, since these scripts run with the credentials of the Local System account.
    Start the Group Policy snap-in, expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), and then in the right pane, add a script.


    Where can I get the Microsoft script encrypter?
    Tuesday, August 19, 2008 4:27 AM
  • Howdie!

    mpMS said:
    Where can I get the Microsoft script encrypter?

    http://msdn.microsoft.com/en-us/library/xw61tsx7(VS.85).aspx
    http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en

    But I encourage you to use the Preferences. You'll get rid of a lot more scripting solution than just that.

    http://www.frickelsoft.net/blog/?p=116

    cheers,

    Florian

    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, August 19, 2008 5:45 AM
  • Cant get it. Can you post sample guide on how to assign Administrator password?
    Tuesday, August 19, 2008 2:09 PM
  •  What part are you unsure of? The last steps of the configuration are explained here: http://www.frickelsoft.net/blog/?p=116. You go create a new OU in Active Directory Users and Computer and put the AD computer accounts you want to change the Admin password on into that OU. You open GPMC.msc and navigate to the newly created OU. Create a new GPO and configure the GPPreference setting as explained in my article.

    Did that work for you?
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Monday, August 25, 2008 6:51 AM
  • How secure are each of these two options? With the script option it would seem that everyone who could get access to the script would be able to see the password. Also, even the script encoder option (it is NOT an encryptor) only really keeps the script from casual prying eyes.

    How about the GPP? Is the password captured in the GPP as recoverable plaintext?
    Tuesday, December 01, 2009 4:47 PM
  • How secure are each of these two options? With the script option it would seem that everyone who could get access to the script would be able to see the password. Also, even the script encoder option (it is NOT an encryptor) only really keeps the script from casual prying eyes.

    That's true.
    How about the GPP? Is the password captured in the GPP as recoverable plaintext?

    No. The cpassword part is hashed in the preference.
    You can check this if you'd like in the SYSVOL.
    Tuesday, December 01, 2009 9:28 PM
  • Hi Sander

    I just stumbled on this. Do we really need to script it? Because looking from the link below, it does not require scripting.

    http://blogs.technet.com/b/jratsch/archive/2009/03/27/how-to-change-the-password-for-the-local-administrator-account-on-multiple-machines-the-easy-way-without-scripting.aspx

     

     

    Thursday, June 17, 2010 5:12 AM
  • Hi,

    Am 17.06.2010 07:12, schrieb cyw77:

    I just stumbled on this. Do we really need to script it?

    No, you can use the Group Policy Preferences to do that.

    Mark


    Mark Heitbrink - MVP Windows Server - Group Policy

    Homepage:    www.gruppenrichtlinien.de - deutsch
    NNTP Bridge: http://communitybridge.codeplex.com/releases

    Thursday, June 17, 2010 8:55 PM
  • Ok. Not sure why Sander recommends to script it for the password. Was that feature not available to him when he recommends the scripting?
    Friday, June 18, 2010 4:56 AM
  • Ok. Not sure why Sander recommends to script it for the password. Was that feature not available to him when he recommends the scripting?


    When you look at my original post, you'll find that I offered two solutions.
    One of the solutions is using Group Policy Preferences, which is the same solution as you stumbled upon.

    The choice between using Group Policy Preferences and using the script is pretty easy:

    • If you're running Windows 2000 Professional machines in your Active Directory environment, the Group Policy Preferences are not available. You'll need to use the script.
    • If you're running Windows XP Professional machines in your Active Directory environment, the Group Policy Preferences need to be installed onto all the machines before you can use the Group Policy Preferences. Windows Vista and Windows 7 have the Group Policy Preferences installed and enabled by default.
    • If you need advanced reporting, you'll need to use the script, since the Group Policy Preferences do not offer reporting. On the other hand, by the time you need true reporting, you'll be looking at System Center Configuration Manager (SCCM) and have whole other means to change the settings on all the client machines.
    Friday, June 25, 2010 6:43 AM
  • Sander,

     I am on a XP machine trying to edit a test GPO like you mentioned, but I do not see any "Preferences" under Computer Configuration.

     

    I have "Group Policy Preference Client Side Extensions for Windows XP" installed on my machine. Am I missing something?


    Friday, July 30, 2010 7:43 PM
  • Sander,

     I am on a XP machine trying to edit a test GPO like you mentioned, but I do not see any "Preferences" under Computer Configuration.

     

    I have "Group Policy Preference Client Side Extensions for Windows XP" installed on my machine. Am I missing something?


    You will need to use the Group Policy Management Console (GPMC) from Windows Vista SP1 or Windows 7 to be able to manage Group Policy Preferences. Once configured, your Windows XP clients will pick them up.
    Tuesday, August 03, 2010 6:36 PM
  • Just incase you had any questions here are some post I have done that answer your questions...

    1. How to use Group Policy Preferences to Secure Local Administrator Groups

    2. How to use Group Policy Preferences to change account Passwords (This article show you how to mitigate the security issues with changes local accounts password using GPP)

    Hope it helps...


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Tuesday, August 03, 2010 9:55 PM
  • How secure are each of these two options? With the script option it would seem that everyone who could get access to the script would be able to see the password. Also, even the script encoder option (it is NOT an encryptor) only really keeps the script from casual prying eyes.

    How about the GPP? Is the password captured in the GPP as recoverable plaintext?

    It seems to me that you can simply deny view rights to all of the users that you don't want to have access to the password script.  If I'm not mistaken, a domain computer will still run the script as part of it's startup routine even if all of the domain users are denied.
    Monday, September 06, 2010 8:36 PM
  • It seems to me that you can simply deny view rights to all of the users that you don't want to have access to the password script.  If I'm not mistaken, a domain computer will still run the script as part of it's startup routine even if all of the domain users are denied.


    You don't want to do that. If I'm admin on my box (and there probably are local admins on your boxes _somewhere_, I can read that file. There are ways I can run commands as the "local system" and therefore as a domain computer. If I can run commands in the system's context, I can read the file.

    You could try to encode the the password script if its VBScript. Not sure if that's a secure enough solution, though.

    Cheers,

    Florian


    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Monday, September 06, 2010 8:40 PM
  • Hi This script will run without admin rights  from GPO.
    Tuesday, October 05, 2010 10:28 AM
  • Hi,

    I want Change all local admin password in my network.if i use the above script is it require admin rights on each client machine.

    Please help me.

     

    By Ashok.

    Tuesday, October 05, 2010 10:29 AM
  • Hi.i want to change the local administrator password through gpu in my domain environment iam following the step as you written but i cant see (Computer Configuration, expand Preferences, click Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User . thanks
    Sunday, October 17, 2010 6:15 AM
  • Hi,

    This works fine for Windows Vista and Windows 7 but for Windows Xp, this is not effective.

    Friday, December 03, 2010 8:01 AM
  • This works for some of the XP computers and some it does not... it's so strange.


    The GPO shows applied under gpresult but it doesn't actually make the change???

     

    Any ideas?

     

    Regards,

    DEMPC

    Tuesday, January 18, 2011 8:28 PM
  • I am also lookint at option where I can change local admin account passwrod across the network on periodically basis.

     

    Any help / suggesations welcome

    Monday, February 07, 2011 5:55 AM
  • make sure KB943729 Group Policy Preference Client Side Extensions for WIndows XP is installed.

    I had the same problem. after installing it worked a charm.

    Tuesday, April 19, 2011 5:31 AM
  • do not change local admin password

     

    Friday, May 20, 2011 11:09 AM
  • i am creat in user in ou but right in administrator but user change local admin password

     

    Friday, May 20, 2011 11:12 AM
  • Just incase you had any questions here are some post I have done that answer your questions...

    1. How to use Group Policy Preferences to Secure Local Administrator Groups

    2. How to use Group Policy Preferences to change account Passwords (This article show you how to mitigate the security issues with changes local accounts password using GPP)

    Hope it helps...


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    Nice and clear.  Thanks for the links!
    Friday, May 20, 2011 2:49 PM
  • Here is a link to a blog post i have done that show how you can change the password for local account... it also covers ways to mitigate having it as a standing setting applied which can reveal the password as it is store in SYSVOL which is easly readable... Best Practice: How to use Group Policy Preferences to change account Passwords

    Hope it helps


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Follow me on twitter @alanburchill
    Thursday, August 11, 2011 10:17 AM
  • I can't seem to get this to work with windows 8.  It has been working with our XP and 7 machines, but the first windows 8 box can seem to set the administrator password.  It was able to created a new user, it just can't seem to change the administrator local account.
    Wednesday, March 27, 2013 3:53 PM
  • Am I correct in assuming that using GPP will update ALL computers in AD? Is there any way to apply this only to workstations and not servers?

    Thursday, August 08, 2013 10:41 AM
  • The easy answer is to use Group Policy Preferences since it has a built-in mechanism for changing/managing local computer passwords. The problem is that while the password in Group Policy Preferences is encrypted using AES 256, the private key for the decryption is posted on MSDN.


    google Using Group Policy Preferences for Password Management = Bad Idea for more info.




    • Edited by ARGifford Wednesday, August 28, 2013 2:44 PM
    Wednesday, August 28, 2013 2:43 PM
  • Thanks for such a nice step by step guidance.

    Very good. 

    Keep it up.

    Regards,

    Nikhil Dalmia.

    Tuesday, February 25, 2014 4:19 AM
  • Updating the password via GPO/GPP is very unsecure.

    Check http://fbinotto.blogspot.co.nz/2014/03/securely-change-local-administrator.html

    Tuesday, March 25, 2014 7:21 AM
  • yep...

    http://support.microsoft.com/kb/2962486

    Friday, June 27, 2014 5:35 PM