none
Set Local Admin Password

    Question

  • Hi,

    Since the removal of the ability to set the local admin password does anyone know of a way to do this?

    I know there is a program out there but that sets every client to have a random admin password and I need to have a known one across all clients. I also thought of writing a script that encrypting the password and settings it locally but the only person who can decrypt it is the user who created it. 

    I am also think of editing the group.xml and putting my own in there but that is not very secure.

    So at the moment I am a bit stuck.

    BTW the admin account is always disabled unless needed for a particular reason.

    Monday, January 18, 2016 8:52 PM

Answers

  • If you want the same admin password across all workstations, I'd use pspassword to initially set it:

    https://technet.microsoft.com/en-us/sysinternals/bb897543.aspx

    It uses the windows APIs, so the password can't be sniffed.  

    I'd get a list of all workstations you want to create it on, then run pspassword:

    Get-ADComputer -filter * -SearchBase "OU=orksations,DC=acme,DC=local" | Select-Object -ExpandProperty name | out-file computers.txt
    --% pspasswd computer @computers.txt Username Administrator NewPassword Pa$$w0rd

    It would ROUGHLY look like the above (I haven't tested it, but it's close, and you could do a scheduled task.  Updating the password during the build sequence probably a good idea too.

    My own advice is to have a different local admin password for all machines, but if for some reason it's not possible at the moment, I'd create a scheduled task like above with pspassword, and run it from a secure location (you don't want someone to look at the script and get the local admin password!)

    • Marked as answer by OptimAdam Tuesday, January 19, 2016 5:23 PM
    Monday, January 18, 2016 9:31 PM

All replies

  • Local Administrator Password Solutions (LAPS): https://technet.microsoft.com/en-us/library/security/3062591.aspx

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, January 18, 2016 9:06 PM
  • Hi,

    Thanks for the quick response.

    As I said I need a single password across all the clients not randomly generated ones for each machine.

    Monday, January 18, 2016 9:14 PM
  • If you want the same admin password across all workstations, I'd use pspassword to initially set it:

    https://technet.microsoft.com/en-us/sysinternals/bb897543.aspx

    It uses the windows APIs, so the password can't be sniffed.  

    I'd get a list of all workstations you want to create it on, then run pspassword:

    Get-ADComputer -filter * -SearchBase "OU=orksations,DC=acme,DC=local" | Select-Object -ExpandProperty name | out-file computers.txt
    --% pspasswd computer @computers.txt Username Administrator NewPassword Pa$$w0rd

    It would ROUGHLY look like the above (I haven't tested it, but it's close, and you could do a scheduled task.  Updating the password during the build sequence probably a good idea too.

    My own advice is to have a different local admin password for all machines, but if for some reason it's not possible at the moment, I'd create a scheduled task like above with pspassword, and run it from a secure location (you don't want someone to look at the script and get the local admin password!)

    • Marked as answer by OptimAdam Tuesday, January 19, 2016 5:23 PM
    Monday, January 18, 2016 9:31 PM
  • Hi,

    I agree with Gareth that Password should be unique and random on each computer.

    If a single password is necessary for you, here is an article in which group policy could set the same password on local, you could take a look and use for reference:
    http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 19, 2016 1:47 AM
    Moderator
  • Wendy AdmPwd sets the password to random again.

    I need a static password for MDT so it can automatically login in to domain joined machines to update the system. Unless someone has an alternate solution that will allow MDT to pull back the local admin password and inject it into the setup scripts?

    I think I will just write a script that set it and have done with it. Once the update has been done I will then enable random password.



    • Edited by OptimAdam Tuesday, January 19, 2016 5:23 PM
    Tuesday, January 19, 2016 5:17 PM