none
Change Local Admin Password RRS feed

  • Question

  • Ok so I have just been tasked with changing the local admin password in my task sequence to something unique for each computer. Currently in my master image I have a custom local admin account. When I deploy the computers using MDT it always enable the local Administrator account to login and finish the install after rebooting. What I need to do is have the local Administrator account disabled and only have my custom local admin account enabled with a unique password. For instance lets say my computer name is test25. I would my custom local admin account to set the password as "mypasswordxxx" which would be "mypasswordtest25". Any ideas?
    Monday, December 9, 2013 6:00 PM

Answers

  • First thing to do is to create the extra table in the database. I did this by amending the database scripts as part of mdt (BDDAdminDB.sql & BDDAdminDB_Upgrade.sql):

    Into BDDAdminDB.sql

    [LocalAdminPassword] [nvarchar] (255) NULL Default(''),

    Into BDDAdminDB_Upgrade.sql

    if not exists (select * from sys.columns where object_id = OBJECT_ID(N'[dbo].[Settings]') and name = 'LocalAdminPassword')
    ALTER TABLE [dbo].[Settings] ADD [LocalAdminPassword] [nvarchar] (50) NULL Default ('')
    GO

    Into Both

    INSERT INTO [dbo].[Descriptions] VALUES ('AdminPassword', 8, 'Miscellaneous', 'Reset Local Administrator password')
    GO

    Then amended the ztiutility to included decode by amending two lines:

    Case "USERID", "USERPASSWORD", "USERDOMAIN", "DOMAINADMIN", "DOMAINADMINPASSWORD", "DOMAINADMINDOMAIN", _
    "ADMINPASSWORD", "BDEPIN", "TPMOWNERPASSWORD", "ADDSUSERNAME", "ADDSPASSWORD", _
    "SAFEMODEADMINPASSWORD", "USERNAME", "USERPASSWORD", "PRODUCTKEY", "LOCALADMINPASSWORD"

    I just added my new variable "LocalAdminPassword" to the end of both lines.

    and for the script... somthing like this (placed in an MDT style wsf):

    sUser2Reset = "WinNT://./" & sPWUser

    Set objUser = GetObject(sUser2Reset)

    objUser.SetPassword(oEnvironment.Item("LocalAdminPassword"))
    objUser.SetInfo

    • Marked as answer by pixa241 Wednesday, December 11, 2013 4:13 PM
    Wednesday, December 11, 2013 10:24 AM

All replies

  • Modification of the local administrator account while MDT is still performing an installation is dangerous. MDT requires a local administrator account in order to perform state-restore steps. Perhaps someone else will answer...

    Another solution might be to use Group Policy to change the administrator account name and/or settings.


    Keith Garner - keithga.wordpress.com

    Tuesday, December 10, 2013 12:08 AM
    Moderator
  • Create a script with what you need and have it execute last in your tasksequence. Since the administrator is already logged on changes will not take affect until the next logon.

    Example to change the local administrator password.

    net user Administrator mypassword%computername%

    Example to deactivate the local administrator and set a password

    net user Administrator mypassword%computername% /ACTIVE:NO


    Tuesday, December 10, 2013 1:31 PM
  • I created a script to do this (at the end of the ts like mentioned). I also added a new password field to the database and amended the ztiutility to manage the encoding of the new password variable.
    Tuesday, December 10, 2013 1:39 PM
  • I created a script to do this (at the end of the ts like mentioned). I also added a new password field to the database and amended the ztiutility to manage the encoding of the new password variable.

    Can you explain how you do this and maybe link the script?
    Tuesday, December 10, 2013 8:06 PM
  • First thing to do is to create the extra table in the database. I did this by amending the database scripts as part of mdt (BDDAdminDB.sql & BDDAdminDB_Upgrade.sql):

    Into BDDAdminDB.sql

    [LocalAdminPassword] [nvarchar] (255) NULL Default(''),

    Into BDDAdminDB_Upgrade.sql

    if not exists (select * from sys.columns where object_id = OBJECT_ID(N'[dbo].[Settings]') and name = 'LocalAdminPassword')
    ALTER TABLE [dbo].[Settings] ADD [LocalAdminPassword] [nvarchar] (50) NULL Default ('')
    GO

    Into Both

    INSERT INTO [dbo].[Descriptions] VALUES ('AdminPassword', 8, 'Miscellaneous', 'Reset Local Administrator password')
    GO

    Then amended the ztiutility to included decode by amending two lines:

    Case "USERID", "USERPASSWORD", "USERDOMAIN", "DOMAINADMIN", "DOMAINADMINPASSWORD", "DOMAINADMINDOMAIN", _
    "ADMINPASSWORD", "BDEPIN", "TPMOWNERPASSWORD", "ADDSUSERNAME", "ADDSPASSWORD", _
    "SAFEMODEADMINPASSWORD", "USERNAME", "USERPASSWORD", "PRODUCTKEY", "LOCALADMINPASSWORD"

    I just added my new variable "LocalAdminPassword" to the end of both lines.

    and for the script... somthing like this (placed in an MDT style wsf):

    sUser2Reset = "WinNT://./" & sPWUser

    Set objUser = GetObject(sUser2Reset)

    objUser.SetPassword(oEnvironment.Item("LocalAdminPassword"))
    objUser.SetInfo

    • Marked as answer by pixa241 Wednesday, December 11, 2013 4:13 PM
    Wednesday, December 11, 2013 10:24 AM
  • I had a project a year ago where I needed to do something similar although they wanted the same password on every machine for the local user account. I downloaded "PassGen" and configured it as an application.

    PassGen.exe -r -l 64 -c Administrator -h

    In my task sequence, the last steps were:

    "Create User Account" (cmd /c net user username password /ADD)
    "Add User Account to Local Admin Group" (cmd /c net localgroup "Administrators" /ADD username)
    "Set Password to Never Expire" (cmd /c wmic useraccount where name='username' set passwordexpires=false)
    "Disable User Password Change" (cmd /c wmic useraccount where name='username' set passwordchangable=false)
    "Obsfucate Password" (run the PassGen application as a standalone)
    "Set Admin Password Unchangeable" (cmd /c wmic useraccount where name='Administrator' set passwordchangable=false)
    "Deactivate the Admin Account"  (cmd /c net user Administrator /active:no)

    When you execute that last command, you are still running under the Administrator user account. As soon as the computer restarts, the Administrator account is locked out, and the user you created cannot restart it. For the password, I'd just pass it to the command line as a variable.

     

    Thursday, January 2, 2014 3:55 PM
  • @Kitsune from what I can tell about PassGen.exe it will set the local administrator account password to *Random*, rather than some "recoverable" value.

    http://books.google.com/books?id=yZX2uAoAagwC&pg=PA336&lpg=PA336&dq=PassGen.exe+steve+riley&source=bl&ots=GT50Kms4fK&sig=diBlhQ1B9iLI7HkWJ_T0M9XCVTA&hl=en&sa=X&ei=jUHKUtGAAdL1oATH9YGIBQ&ved=0CDIQ6AEwAQ

    -k


    Keith Garner - keithga.wordpress.com

    Monday, January 6, 2014 5:49 AM
    Moderator
  • I created a script to do this (at the end of the ts like mentioned). I also added a new password field to the database and amended the ztiutility to manage the encoding of the new password variable.

    Sorry RL69, although you have helpfully provided the script, I don't fully follow it. I would also be interested in resetting the local admin password in the MDT Task Sequence of each machine to something unique, but recoverable. It doesn't have to be too complex a solution, e.g. a word all admins know plus some digits from the serial code/hostname. Anything like that would be better than the default situation where every machine has the same admin password.

    In your script, where id the local admin password set, and what do you use to generate the password?

    P.S. Is "passgen" still available? I cant see any live download links for it now.

    I created a script to do this (at the end of the ts like mentioned). I also added a new password field to the database and amended the ztiutility to manage the encoding of the new password variable.

     
    Wednesday, May 28, 2014 4:09 PM
  • The reset script would be run from a task sequence script and the password would be taken from the newly created database field. You could set the password to add another variable at the end: January%SERIALNUMBER% which would then make it unique.
    Saturday, June 7, 2014 10:32 AM