[gptalk] Re: Group Policy to set local administrator password

  • From: "MONTGOMERY, RONALD [AG/1000]" <ronald.montgomery@xxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 28 Jun 2007 16:12:48 -0500

We did it in an emergency once before we purchased a third party
management solution. We encrypted the script, which was better than not
trying at all.

 Jamie's right on about tightening the permissions on the GPO, but I
think the traffic that's passed over the network can be intercepted and
read?

 

We had a target list of machines, so we filtered with a security group.
We also had a requirement to have unique passwords for each machine, so
I used a data dictionary in the script. I attached the script if you're
interested. It's pretty simple, sorry!

 

If your users have admin rights, all bets are off for policy processing
on all your machines. That was one reason why we went with a third party
tool with good reporting capabilities.

 

Hope this helps.

 

 

Ronald

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Johnson, Matthew
Sent: Thursday, June 28, 2007 3:25 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy to set local administrator password

 

Is anyone using Group Policy to deploy a script/batch file which sets
the local administrator password?

 

I am not, but I am considering it.  My concern is that the password
would be clear text in the script.

 

Thanks in advance for any help,

Matthew Johnson

 

CONFIDENTIALITY STATEMENT: This electronic message contains information
from Fisher-Titus Medical Center and may be protected health information
or other confidential and privileged information under law.  The
information is intended to be for the use of the individual or entity
named above.  If you are not the intended recipient, be aware that any
disclosure, copying, distribution or use of the contents of this message
is prohibited. If you have received this electronic message in error,
please notify the sender immediately by reply e-mail or telephone at
419/668-8101.


---------------------------------------------------------------------------------------------------------
This e-mail message may contain privileged and/or confidential information, and 
is intended to be received only by persons entitled to receive such 
information. If you have received this e-mail in error, please notify the 
sender immediately. Please delete it and all attachments from any servers, hard 
drives or any other media. Other use of this e-mail by you is strictly 
prohibited.


All e-mails and attachments sent and received are subject to monitoring, 
reading and archival by Monsanto. The recipient of this e-mail is solely 
responsible for checking for the presence of "Viruses" or other "Malware". 
Monsanto accepts no liability for any damage caused by any such code 
transmitted by or accompanying this e-mail or any attachment.
---------------------------------------------------------------------------------------------------------

' NAME: Admin Password Reset
'
'
' COMMENT: This emergency script resets the admin password on a defined 
'set of machines.
' This script is intended to be used through group policy.
'This script uses a data dictionary object to store machine names and 
'passwords.
'
'Exit Codes:
'0 = Success
'1 = Failure to locate local admin account
'2 = Reset unsuccessful
'3 = Reset already performed. 
'
'==========================================================================

Option Explicit
Dim strMachine, strCaption, strRegPath
Dim objNet, objUser, objDict, objShell
Dim a

'On Error Resume Next

Set objDict = CreateObject("Scripting.Dictionary")
objDict.CompareMode = vbTextCompare


'--------------------------------Start Dictionary-----------------------------
objDict.Add "computername","password"


'--------------------------------End Dictionary-------------------------------


Set objNet = WScript.CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell") 

'This reg path is an example only.
strRegPath = "HKLM\Software\YourCompany\PolicyName\AdminPWReset"
strMachine = objNet.ComputerName 


'Check registry for key indicating script already ran successfully.
'0 indicates previous success.
'1 indicates previous failure to locate the local admin account.
'2 indicates previous reset unsuccessful.
'No reg key indicates the script hasn't run.
a = objShell.RegRead(strRegPath)
        If a = "0" Then
                WScript.Quit(3)
        End If


'Attempt password reset.
Err.Clear

If LCase(objDict.Exists(strMachine)) Then
        Set objUser = GetObject("WinNT://" & strMachine & "/Administrator, 
user")
                If Lcase(objUser.Name) = LCase("Administrator") Then
                Else
                objUser = ""
                'In case you have local admin account named something besides 
default, in this case Goofy...
                Set objUser = GetObject("WinNT://" & strMachine & "/Goofy, 
user")
                        If Lcase(objUser.Name) = LCase("Goofy") Then
                        Else
                                objShell.RegWrite strRegPath, "1", "REG_DWORD"
                                objShell.LogEvent 1, "Unable to retrieve local 
administrator account for password reset(1)."& vbCr & "Error Code: " & 
Err.Number & vbCr & "Error Message: " & Err.Description
                                Err.Clear
                                WScript.Quit(1)
                        End If
                End If


                Err.Clear
                ' Set the password for the account
                objUser.SetPassword objDict(strMachine)
                objUser.SetInfo
                If Err.Number <> 0 Then
                        objShell.RegWrite strRegPath, "2", "REG_DWORD"
                        objShell.LogEvent 1, "Unable to reset local 
administrator account password(2)." & vbCr & "Error Code: " & Err.Number & vbCr 
& "Error Message: " & Err.Description
                        Err.Clear
                        WScript.Quit(2)
                Else
                        objShell.RegWrite strRegPath, "0", "REG_DWORD"
                        objShell.LogEvent 0, "Local administrator account 
password successfully reset(0)."
                        WScript.Quit(0)
                End If
Else
End If


objNet = "" 
objUser = ""
objDict = ""
objShell = ""

Other related posts: