[gptalk] Re: Using Group Policy to change local admin password
- From: "Nelson, Jamie R Contr 72 CS/SCBAF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 4 Dec 2007 17:10:48 -0600
Yes, scripting is the way to go. The script you had linked would work,
but you're assuming the builtin administrator account is named the same
on every system. That is usually the case, but I would use a WMI script
that enumerates the accounts based on the SID.
See the attached scripts, which should do the trick for you.
1) Save both files to your local system (in the same folder).
2) Take the .txt extension off of the files.
3) Edit the ChgLocalAdmPwd.vbs in Notepad and set the password you want
near the bottom of the script. Save your changes.
4) Run the Encode.vbs script and type the file name (ChgLocalAdmPwd.vbs)
of the script you want to encode. It must reside in the same folder you
are executing Encode.vbs from.
5) ChgLocalAdmPwd.vbe will be generated in the same folder. If you look
at the file in Notepad you will see that the bottom section of the code
(everything after the **Start Encode** statement) will be scrambled.
6) Run the ChgLocalAdmPwd.vbe as a group policy startup script. You
might want to additionally replace Authenticated Users "read" rights on
the scripts folder in the GPO with "Domain Computers" so that nosy users
can't browse to SYSVOL and decode the script. VBS encryption isn't very
strong, but is enough to deter the average user.
Hope this helps.
Regards,
Jamie Nelson
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Williams
Sent: Tuesday, December 04, 2007 4:41 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Using Group Policy to change local admin password
Hello everyone.
Just have a couple of questions about using GP to change a local admin
account on couple thousand PC's.
I've searched through the archives here to find some information. From
what i've found, would be better to use this as a 'startup script' under
computer configuration, as opposed to a 'logon script' under user
configuration? That correct?
Also, I am not the best scripter (but I am learning) so I was looking
for solutions available.
I did find this script:
http://www.gpanswers.com/community/viewtopic.php?t=768&sid=a2d4614336e8d
74e4caad9d5ed489970
<http://www.gpanswers.com/community/viewtopic.php?t=768&sid=a2d4614336e8
d74e4caad9d5ed489970>
Would this be sufficient for what I am trying to do? Should I be looking
for something else? What about error checking, making sure the correct
accounts password is changed?
Appreciate the help.
Jason
Option Explicit
Dim fso : Set fso = WScript.CreateObject("Scripting.FilesystemObject")
Dim strSourceFile : strSourceFile = InputBox("Type the name of the source file
to encode.")
If strSourceFile = "" Then WScript.Quit
Dim strSourcePath : strSourcePath = fso.GetFolder(".").Path
If Not fso.FileExists(strSourcePath & "\" & strSourceFile) Then
MsgBox "File not found.", 0 + 16, "WScript.Encoder"
WScript.Quit
End If
Dim szExt, bstrScript, destExt
Select Case fso.GetExtensionName(strSourcePath & "\" & strSourceFile)
Case "vbs"
szExt = ".vbs"
bstrScript = "VBScript"
destExt = ".vbe"
Case "js"
szExt = ".js"
bstrScript = "JScript"
destExt = ".jse"
Case Else
MsgBox fso.GetExtensionName(strSourcePath & "\" &
strSourceFile) & " files not supported in this script."
WScript.Quit
End Select
Dim bstrStreamIn : bstrStreamIn = fso.OpenTextFile(strSourcePath & "\" &
strSourceFile, 1).ReadAll
Dim enc, EncodedText
Set enc = WScript.CreateObject("Scripting.Encoder")
EncodedText = enc.EncodeScriptFile(szExt, bstrStreamIn, 0, bstrScript)
Set enc = Nothing
Dim DestPath
DestPath = Replace(strSourcePath & "\" & strSourceFile, szExt, destExt)
If Not fso.FileExists(DestPath) Then
Dim DestFile
Set DestFile = fso.OpenTextFile(DestPath, 2, true)
DestFile.Write Left(EncodedText, Len(EncodedText) - 1)
DestFile.Close
Set DestFile = Nothing
End If
wscript.quitOn Error Resume Next
Dim wsn : Set wsn = CreateObject("WScript.Network")
Dim strBuiltinAdmin
Dim objWMI : Set objWMI = GetObject("winmgmts:\\.\root\cimv2")
Dim colLocalUsers : Set colLocalUsers = objWMI.ExecQuery("SELECT * FROM
Win32_Account WHERE Domain='" & UCase(wsn.ComputerName) & "'",,48)
For Each objUser In colLocalUsers
If Left(objUser.SID, 6) = "S-1-5-" And Right(objUser.SID, 4) = "-500"
Then
strBuiltinAdmin = objUser.Name
Exit For
End If
Next
Set colLocalUsers = Nothing
Set objWMI = Nothing
If Not IsEmpty(strBuiltinAdmin) Then ConfigAdminAccount()
Set wsn = Nothing
WScript.Quit
'===============================================================
'**Start Encode**
'===============================================================
'--------------------
Sub ConfigAdminAccount()
'--------------------
On Error Resume Next
Dim oUser : Set oUser = GetObject("WinNT://" & UCase(wsn.ComputerName) & "/" &
strBuiltinAdmin)
With oUser
.SetPassword("P@ssW0rd")
.SetInfo
End With
Set oUser = Nothing
End Sub
Other related posts:
