Script Stuff: One way to Reset the Local Administrator Password on a Bunch of Computers
Let's say you put down the liquor bottle and the freebasing spoon for just a minute, and make a bold decision that you're not going to stand for having multiple passwords out in your WAN environment for the local Administrator account on each computer. Let's just say. Ok, you can get your lighter back out and continue cooking your spoon.
No, seriously. Some people actually LIKE having different local Administrator passwords for different computers. Some dice them up by office location or some other geosynchronous idiosyncratic polymorphic pursuit, or whatever that last sentence meant. I really don't know. Oh well, nothing wrong with that ***IF*** that is what you intended to have happen. As I tell my son when he gets his turn to pitch in a game: "Even if you hit the umpire with a wild pitch, look like you meant to do it." That's right, the power of the poker-face is incredible. So, maybe you have 500 computers and overall you "discover" that 10 or 30 different passwords are in use. You could shrug it off and hit the umpire. Or you could do something to clean that up. But do you really want to walk around and do that manually? Not unless you're REALLY bored or clueless. So you think maybe a login script would work for this. It might. If the users all have local Administrator permissions to their computers, then it would work. Or maybe you could launch some magical script from your gold-plated, diamond-encrusted throne of a workstation, and blast forth an awesome miracle upon thy computers. But alas, you encountereth thine holy Firewall of doom. What to do?
A computer startup script might just be the trick.
Here's what you'll need:
- A script
- A network share
- A group policy setting
- A coil of cotton rope
- A roll of duct tape
- A case of Red Bull
Ok, you might not need the rope.
SCRIPT
Here's the script, but make sure you edit it before you use it (pa-leeze?):
@ECHO OFF
NET USER Administrator NewPassword123
ECHO %DATE% %TIME% Local Admin Account Password Reset >C:\AdmPwd.txt
SHARED FOLDER
Save those two lines of code into a .BAT file and post it in a shared folder on your network. Now, configure the permissions on that shared folder such that it permits the domain security group "Domain Computers" to have READ access. Also, grant "Domain Computers" READ access to the Share permissions. Why? Because start-up scripts run under the context of the local SYSTEM account, which *IS* the computer itself. And the computer account has NO rights to anything on your network without being explicitly granted. Computers are only added to the domain group "Domain Computers" and no other groups. They are not members of "Domain Users" or "Everyone" and they don't get bestowed with membership to "Authenticated Users" either. You could modify the permissions on the NETLOGON shares on your domain controllers, but that may be tricky with multiple domain controllers, so I recommend a separate shared folder if possible.
GROUP POLICY SETTING
The next step is to either add a setting to an existing Group Policy Object (GPO) or create a new GPO just for this. I strongly recommend the latter since it makes it much easier to troubleshoot using RSOP if you need to. The setting is buried under Computer Configuration \ Windows Settings \ Scripts (Startup/Shutdown) and you simply enter the UNC path to the script. UNC paths are those that begin with "\\" and are followed by the name of the host server and then the shared folder name and sub-folders, etc.
Test this first! Never roll out a GPO setting without some sort of controlled testing - EVER!
Here's a suggestion: Create a test OU in Active Directory and move a test computer account into that OU. Then link your shiney new GPO to this OU and give it a few minutes. Then walk over (or remotely) restart the test computer. If the policy took effect and the script ran successfully, look for a file named AdmPwd.txt under the C:\ root path.
THE ROLLOUT
If you can't kindly coerce all your users to reboot their computers in an orderly fashion, and you can't beat them into submission either, you could try the trusty old SHUTDOWN approach. (Syntax: SHUTDOWN /M computername /R /F /T 0 /C "Forced restart"). However, if you ran into firewall issues earlier, this may block this from working as well. You might turn off the firewalls via another GPO setting, but that's your call to make.
I hope this helps someone out there. Chou!