locked
Local admin accounts RRS feed

  • Question

  • hey All, 

    anyone has a Script to get all computers where Local admin account Password required = No?

    we have few workstations that have the local admin account password blank.

    a PowerShell would be great as i can create a CI in SCCM.

    cheers. 

    Saturday, January 27, 2018 2:56 AM

Answers

  • Like I said.  If the password is blank before "password required" is set then it will be blank and the account t will log on at the console.

    By default Win7 and later install with no Administrator password and the Administrator account disabled.  The BUILTIN Admin account has special privileges beyond any account added to the admin group.  If your image  has enabled the admin account t then it will have a blank password.  The correct images will start the first time and join the configured domain which adds Domain Admins to the local admin group.

    You should post in the Deployment forum to find out the various ways to image a system that sets it up correctly.  The old pre-win 7 methods do not work well with later systems.

    The Group Policy should be set to "Password Required" in security settings.  This will provide correct protection for new systems.  I leave the admin account disabled and run a remote script to set the password after the system is set up.  There is now a local admin password setting module for AD that manages all local admin accounts.  This will also enforce a password and reset it periodically.


    \_(ツ)_/

    • Marked as answer by Imad Ubadat Saturday, January 27, 2018 7:56 AM
    Saturday, January 27, 2018 7:45 AM

All replies

  • This sis done through Group Policy so it won't happen in the future.  Win 7 and later do not allow blank admin passwords by default.

    Please read the following carefully. Look in the Gallery for scripts.

    This Forum is for Scripting Question Rather than script requests

    Script Gallery.

    Learn PowerShell  

    Script requests


    \_(ツ)_/

    Saturday, January 27, 2018 3:00 AM
  • As a trained Windows technician you should already know that there is not way ti determine if a password is blank via normal scripts.

    There are numerous security tools that can test  this and can report.

    Locally you can just try logging on with no password but any automated logon will not allow you to provide a blank password so you cannot force it to succeed.  All accounts will fail with blank passwords.


    \_(ツ)_/

    Saturday, January 27, 2018 3:04 AM
  • thanks, 

    PS C:\Users\xxx> net user administrator

    User name                    Administrator
    Full Name                    
    Comment                      Built-in account for administering the computer/domain
    User's comment               
    Country/region code          000 (System Default)
    Account active               Yes
    Account expires              Never

    Password last set            16/11/2016 10:20:28 AM
    Password expires             Never
    Password changeable          18/11/2016 10:20:28 AM
    Password required            Yes
    User may change password     Yes

    Workstations allowed         All
    Logon script                 
    User profile                 
    Home directory               
    Last logon                   17/03/2016 3:14:58 PM

    Logon hours allowed          All

    Local Group Memberships      *Administrators       
    Global Group memberships     *None                 
    The command completed successfully.

    i was hoping of a way i can use that withing SCCM as a compliance setting thats all.

    something along the line of get all computers where password required  = No

    Saturday, January 27, 2018 3:14 AM
  • I understand that but, if the password is required it cannot be blank.  If the policy was set after a blank password was chosen then the account cannot be used until a password is set.  There is no way to find out if it is blank.

    Locally, at the console, the user will be asked to set the password.  Remotely or via script this cannot be detected or managed, Your only choice is to set the password on any accounts you suspect.

    There are forensic security tools that can be installed or run locally that can detect a blank password.


    \_(ツ)_/

    Saturday, January 27, 2018 3:18 AM
  • i am not sure we are on the same page here so let me explain the situation:

    these as Domain Joined computers Built Using SCCM OSD Task Sequence.

    the local Administrator Account password is set by the "Apply Windows Settings " Step in the TS.

    few days back a Technical Service guy reported that he needed to log on to a Computer using the Local Administrator account and find out the password we used no longer works.

    i built a new PC and checked to find that you no longer need a password to logon locally to the PC's.

    upon checking the OSD TS i find out "Someone or Something" removed the password from the "Apply Windows Settings".

    i have re-added the Password but now i need to find out how many of these Computers are out there.

    what i need to know now  

    Saturday, January 27, 2018 4:23 AM
  • Ok.  Explain how you are going to find accounts with no password.

    If you use Group Policy to enforce passwords (which is the default policy when you define a GPO for password policies) you will not need to worry about any of this. 

    There is no way to detect if an account has no password.

    Here is a method that has been claimed to work for domain accounts although domain accounts since 2008 have not been allowed blank paswords by default and this may have been useful during migrations.

    https://gallery.technet.microsoft.com/scriptcenter/How-to-check-if-a-domain-2e45a2b4

    It doesn't work on local accounts because  local ADSI uses SetPassword.


    \_(ツ)_/

    Saturday, January 27, 2018 4:36 AM
  • here's what i just did:

    ConfigMgr allow you now to create and run script against a collection.

    i managed to identify when the issue started.

    i created a collection of all computers created since then.

    i then deployed the "net user administrator" command to all devices in that collection.

    i got the results as expected.

    Local Group Memberships      *Administrators       
    Global Group memberships     *None                 
    The command completed successfully.
    User name                    Administrator
    Full Name                    
    Comment                      Built-in account for administering the computer/domain
    User's comment               
    Country code                 000 (System Default)
    Account active               Yes
    Account expires              Never
    Password last set            14/11/2017 2:19:15 PM
    Password expires             Never
    Password changeable          16/11/2017 2:19:15 PM
    Password required            No
    User may change password     Yes
    Workstations allowed         All
    Logon script                 
    User profile                 
    Home directory               
    Last logon                   21/11/2010 2:17:20 PM

    i am not looking to fix it now, i just needed to identify the devices affected.  

    Saturday, January 27, 2018 5:26 AM
  • That has nothing to do with blank passwords.  It just means the policy was never set and it should have been set by the domain when the system joined the domain.  Perhaps your GPOs are not set up correctly to enforce a password policy.

    Those accounts may have a password or they may not have a password.


    \_(ツ)_/

    Saturday, January 27, 2018 5:40 AM
  • i cant see hows that the case, if it was a GPO issue then either all PC's on the domain will have Password Required Yes/No. i only have 415 out of 14000+ pc's with Password Required and every PC that had Password required            No  and i was able to logon to .\administrator without the need for a password.

    Saturday, January 27, 2018 7:35 AM
  • Like I said.  If the password is blank before "password required" is set then it will be blank and the account t will log on at the console.

    By default Win7 and later install with no Administrator password and the Administrator account disabled.  The BUILTIN Admin account has special privileges beyond any account added to the admin group.  If your image  has enabled the admin account t then it will have a blank password.  The correct images will start the first time and join the configured domain which adds Domain Admins to the local admin group.

    You should post in the Deployment forum to find out the various ways to image a system that sets it up correctly.  The old pre-win 7 methods do not work well with later systems.

    The Group Policy should be set to "Password Required" in security settings.  This will provide correct protection for new systems.  I leave the admin account disabled and run a remote script to set the password after the system is set up.  There is now a local admin password setting module for AD that manages all local admin accounts.  This will also enforce a password and reset it periodically.


    \_(ツ)_/

    • Marked as answer by Imad Ubadat Saturday, January 27, 2018 7:56 AM
    Saturday, January 27, 2018 7:45 AM
  • Saturday, January 27, 2018 7:46 AM
  • ok, i see what you saying, you are correct, setting the password did not change the password required to yes.

    in my case, because we dont have a GPO enforcing the PW policy and when these computers joined the domain the account had a blank PW it set that field to No.

     
    Saturday, January 27, 2018 7:56 AM
  • Why in the world are you not using Group Policy?  That seems a bit foolish.


    \_(ツ)_/

    Saturday, January 27, 2018 7:58 AM
  • i started working in this place 2 years ago and since then all iv been doing is fixing up.

    we have managers whos been here for 15-20 years with the attitude of if its not broken dont fix it...... try changing that bro.


    • Edited by Bill_Stewart Saturday, January 27, 2018 4:25 PM Remove profanity
    Saturday, January 27, 2018 9:20 AM