Yes, scripting is the way to go. The script you had linked would work, but you're assuming the builtin administrator account is named the same on every system. That is usually the case, but I would use a WMI script that enumerates the accounts based on the SID. See the attached scripts, which should do the trick for you. 1) Save both files to your local system (in the same folder). 2) Take the .txt extension off of the files. 3) Edit the ChgLocalAdmPwd.vbs in Notepad and set the password you want near the bottom of the script. Save your changes. 4) Run the Encode.vbs script and type the file name (ChgLocalAdmPwd.vbs) of the script you want to encode. It must reside in the same folder you are executing Encode.vbs from. 5) ChgLocalAdmPwd.vbe will be generated in the same folder. If you look at the file in Notepad you will see that the bottom section of the code (everything after the **Start Encode** statement) will be scrambled. 6) Run the ChgLocalAdmPwd.vbe as a group policy startup script. You might want to additionally replace Authenticated Users "read" rights on the scripts folder in the GPO with "Domain Computers" so that nosy users can't browse to SYSVOL and decode the script. VBS encryption isn't very strong, but is enough to deter the average user. Hope this helps. Regards, Jamie Nelson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Williams Sent: Tuesday, December 04, 2007 4:41 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Using Group Policy to change local admin password Hello everyone. Just have a couple of questions about using GP to change a local admin account on couple thousand PC's. I've searched through the archives here to find some information. From what i've found, would be better to use this as a 'startup script' under computer configuration, as opposed to a 'logon script' under user configuration? That correct? Also, I am not the best scripter (but I am learning) so I was looking for solutions available. I did find this script: http://www.gpanswers.com/community/viewtopic.php?t=768&sid=a2d4614336e8d 74e4caad9d5ed489970 <http://www.gpanswers.com/community/viewtopic.php?t=768&sid=a2d4614336e8 d74e4caad9d5ed489970> Would this be sufficient for what I am trying to do? Should I be looking for something else? What about error checking, making sure the correct accounts password is changed? Appreciate the help. Jason
Option Explicit Dim fso : Set fso = WScript.CreateObject("Scripting.FilesystemObject") Dim strSourceFile : strSourceFile = InputBox("Type the name of the source file to encode.") If strSourceFile = "" Then WScript.Quit Dim strSourcePath : strSourcePath = fso.GetFolder(".").Path If Not fso.FileExists(strSourcePath & "\" & strSourceFile) Then MsgBox "File not found.", 0 + 16, "WScript.Encoder" WScript.Quit End If Dim szExt, bstrScript, destExt Select Case fso.GetExtensionName(strSourcePath & "\" & strSourceFile) Case "vbs" szExt = ".vbs" bstrScript = "VBScript" destExt = ".vbe" Case "js" szExt = ".js" bstrScript = "JScript" destExt = ".jse" Case Else MsgBox fso.GetExtensionName(strSourcePath & "\" & strSourceFile) & " files not supported in this script." WScript.Quit End Select Dim bstrStreamIn : bstrStreamIn = fso.OpenTextFile(strSourcePath & "\" & strSourceFile, 1).ReadAll Dim enc, EncodedText Set enc = WScript.CreateObject("Scripting.Encoder") EncodedText = enc.EncodeScriptFile(szExt, bstrStreamIn, 0, bstrScript) Set enc = Nothing Dim DestPath DestPath = Replace(strSourcePath & "\" & strSourceFile, szExt, destExt) If Not fso.FileExists(DestPath) Then Dim DestFile Set DestFile = fso.OpenTextFile(DestPath, 2, true) DestFile.Write Left(EncodedText, Len(EncodedText) - 1) DestFile.Close Set DestFile = Nothing End If wscript.quit
On Error Resume Next Dim wsn : Set wsn = CreateObject("WScript.Network") Dim strBuiltinAdmin Dim objWMI : Set objWMI = GetObject("winmgmts:\\.\root\cimv2") Dim colLocalUsers : Set colLocalUsers = objWMI.ExecQuery("SELECT * FROM Win32_Account WHERE Domain='" & UCase(wsn.ComputerName) & "'",,48) For Each objUser In colLocalUsers If Left(objUser.SID, 6) = "S-1-5-" And Right(objUser.SID, 4) = "-500" Then strBuiltinAdmin = objUser.Name Exit For End If Next Set colLocalUsers = Nothing Set objWMI = Nothing If Not IsEmpty(strBuiltinAdmin) Then ConfigAdminAccount() Set wsn = Nothing WScript.Quit '=============================================================== '**Start Encode** '=============================================================== '-------------------- Sub ConfigAdminAccount() '-------------------- On Error Resume Next Dim oUser : Set oUser = GetObject("WinNT://" & UCase(wsn.ComputerName) & "/" & strBuiltinAdmin) With oUser .SetPassword("P@ssW0rd") .SetInfo End With Set oUser = Nothing End Sub