[gptalk] Re: Group Policy to set local administrator password

  • From: "MONTGOMERY, RONALD [AG/1000]" <ronald.montgomery@xxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 28 Jun 2007 16:12:48 -0500

We did it in an emergency once before we purchased a third party
management solution. We encrypted the script, which was better than not
trying at all.

 Jamie's right on about tightening the permissions on the GPO, but I
think the traffic that's passed over the network can be intercepted and


We had a target list of machines, so we filtered with a security group.
We also had a requirement to have unique passwords for each machine, so
I used a data dictionary in the script. I attached the script if you're
interested. It's pretty simple, sorry!


If your users have admin rights, all bets are off for policy processing
on all your machines. That was one reason why we went with a third party
tool with good reporting capabilities.


Hope this helps.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Johnson, Matthew
Sent: Thursday, June 28, 2007 3:25 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy to set local administrator password


Is anyone using Group Policy to deploy a script/batch file which sets
the local administrator password?


I am not, but I am considering it.  My concern is that the password
would be clear text in the script.


Thanks in advance for any help,

Matthew Johnson


CONFIDENTIALITY STATEMENT: This electronic message contains information
from Fisher-Titus Medical Center and may be protected health information
or other confidential and privileged information under law.  The
information is intended to be for the use of the individual or entity
named above.  If you are not the intended recipient, be aware that any
disclosure, copying, distribution or use of the contents of this message
is prohibited. If you have received this electronic message in error,
please notify the sender immediately by reply e-mail or telephone at

This e-mail message may contain privileged and/or confidential information, and 
is intended to be received only by persons entitled to receive such 
information. If you have received this e-mail in error, please notify the 
sender immediately. Please delete it and all attachments from any servers, hard 
drives or any other media. Other use of this e-mail by you is strictly 

All e-mails and attachments sent and received are subject to monitoring, 
reading and archival by Monsanto. The recipient of this e-mail is solely 
responsible for checking for the presence of "Viruses" or other "Malware". 
Monsanto accepts no liability for any damage caused by any such code 
transmitted by or accompanying this e-mail or any attachment.

' NAME: Admin Password Reset
' COMMENT: This emergency script resets the admin password on a defined 
'set of machines.
' This script is intended to be used through group policy.
'This script uses a data dictionary object to store machine names and 
'Exit Codes:
'0 = Success
'1 = Failure to locate local admin account
'2 = Reset unsuccessful
'3 = Reset already performed. 

Option Explicit
Dim strMachine, strCaption, strRegPath
Dim objNet, objUser, objDict, objShell
Dim a

'On Error Resume Next

Set objDict = CreateObject("Scripting.Dictionary")
objDict.CompareMode = vbTextCompare

'--------------------------------Start Dictionary-----------------------------
objDict.Add "computername","password"

'--------------------------------End Dictionary-------------------------------

Set objNet = WScript.CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell") 

'This reg path is an example only.
strRegPath = "HKLM\Software\YourCompany\PolicyName\AdminPWReset"
strMachine = objNet.ComputerName 

'Check registry for key indicating script already ran successfully.
'0 indicates previous success.
'1 indicates previous failure to locate the local admin account.
'2 indicates previous reset unsuccessful.
'No reg key indicates the script hasn't run.
a = objShell.RegRead(strRegPath)
        If a = "0" Then
        End If

'Attempt password reset.

If LCase(objDict.Exists(strMachine)) Then
        Set objUser = GetObject("WinNT://" & strMachine & "/Administrator, 
                If Lcase(objUser.Name) = LCase("Administrator") Then
                objUser = ""
                'In case you have local admin account named something besides 
default, in this case Goofy...
                Set objUser = GetObject("WinNT://" & strMachine & "/Goofy, 
                        If Lcase(objUser.Name) = LCase("Goofy") Then
                                objShell.RegWrite strRegPath, "1", "REG_DWORD"
                                objShell.LogEvent 1, "Unable to retrieve local 
administrator account for password reset(1)."& vbCr & "Error Code: " & 
Err.Number & vbCr & "Error Message: " & Err.Description
                        End If
                End If

                ' Set the password for the account
                objUser.SetPassword objDict(strMachine)
                If Err.Number <> 0 Then
                        objShell.RegWrite strRegPath, "2", "REG_DWORD"
                        objShell.LogEvent 1, "Unable to reset local 
administrator account password(2)." & vbCr & "Error Code: " & Err.Number & vbCr 
& "Error Message: " & Err.Description
                        objShell.RegWrite strRegPath, "0", "REG_DWORD"
                        objShell.LogEvent 0, "Local administrator account 
password successfully reset(0)."
                End If
End If

objNet = "" 
objUser = ""
objDict = ""
objShell = ""

Other related posts: