[gptalk] Re: Using Group Policy to change local admin password

  • From: "Nelson, Jamie R Contr 72 CS/SCBAF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 4 Dec 2007 17:10:48 -0600

Yes, scripting is the way to go. The script you had linked would work,
but you're assuming the builtin administrator account is named the same
on every system. That is usually the case, but I would use a WMI script
that enumerates the accounts based on the SID.

See the attached scripts, which should do the trick for you. 

1) Save both files to your local system (in the same folder).
2) Take the .txt extension off of the files.
3) Edit the ChgLocalAdmPwd.vbs in Notepad and set the password you want
near the bottom of the script. Save your changes.
4) Run the Encode.vbs script and type the file name (ChgLocalAdmPwd.vbs)
of the script you want to encode. It must reside in the same folder you
are executing Encode.vbs from.
5) ChgLocalAdmPwd.vbe will be generated in the same folder. If you look
at the file in Notepad you will see that the bottom section of the code
(everything after the **Start Encode** statement) will be scrambled.
6) Run the ChgLocalAdmPwd.vbe as a group policy startup script. You
might want to additionally replace Authenticated Users "read" rights on
the scripts folder in the GPO with "Domain Computers" so that nosy users
can't browse to SYSVOL and decode the script. VBS encryption isn't very
strong, but is enough to deter the average user.

Hope this helps.

Jamie Nelson

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Williams
Sent: Tuesday, December 04, 2007 4:41 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Using Group Policy to change local admin password

Hello everyone.
Just have a couple of questions about using GP to change a local admin
account on couple thousand PC's.

I've searched through the archives here to find some information. From
what i've found, would be better to use this as a 'startup script' under
computer configuration, as opposed to a 'logon script' under user
configuration? That correct? 

Also, I am not the best scripter (but I am learning) so I was looking
for solutions available.

I did find this script:


Would this be sufficient for what I am trying to do? Should I be looking
for something else? What about error checking, making sure the correct
accounts password is changed? 

Appreciate the help.


Option Explicit

Dim fso : Set fso = WScript.CreateObject("Scripting.FilesystemObject")
Dim strSourceFile : strSourceFile = InputBox("Type the name of the source file 
to encode.")
If strSourceFile = "" Then WScript.Quit

Dim strSourcePath : strSourcePath = fso.GetFolder(".").Path
If Not fso.FileExists(strSourcePath & "\" & strSourceFile) Then
        MsgBox "File not found.", 0 + 16, "WScript.Encoder"
End If

Dim szExt, bstrScript, destExt
Select Case fso.GetExtensionName(strSourcePath & "\" & strSourceFile)
        Case "vbs"
                szExt = ".vbs"
                bstrScript = "VBScript"
                destExt = ".vbe"
        Case "js"
                szExt = ".js"
                bstrScript = "JScript"
                destExt = ".jse"
        Case Else
                MsgBox fso.GetExtensionName(strSourcePath & "\" & 
strSourceFile) & " files not supported in this script."
End Select

Dim bstrStreamIn : bstrStreamIn = fso.OpenTextFile(strSourcePath & "\" & 
strSourceFile, 1).ReadAll

Dim enc, EncodedText
Set enc = WScript.CreateObject("Scripting.Encoder")
EncodedText = enc.EncodeScriptFile(szExt, bstrStreamIn, 0, bstrScript)
Set enc = Nothing

Dim DestPath
DestPath = Replace(strSourcePath & "\" & strSourceFile, szExt, destExt)
If Not fso.FileExists(DestPath) Then
  Dim DestFile
  Set DestFile = fso.OpenTextFile(DestPath, 2, true)
  DestFile.Write Left(EncodedText, Len(EncodedText) - 1)
  Set DestFile = Nothing
End If

On Error Resume Next

Dim wsn : Set wsn = CreateObject("WScript.Network")
Dim strBuiltinAdmin

Dim objWMI : Set objWMI = GetObject("winmgmts:\\.\root\cimv2")
Dim colLocalUsers : Set colLocalUsers = objWMI.ExecQuery("SELECT * FROM 
Win32_Account WHERE Domain='" & UCase(wsn.ComputerName) & "'",,48)
For Each objUser In colLocalUsers
        If Left(objUser.SID, 6) = "S-1-5-" And Right(objUser.SID, 4) = "-500" 
                strBuiltinAdmin = objUser.Name
                Exit For
        End If
Set colLocalUsers = Nothing
Set objWMI = Nothing

If Not IsEmpty(strBuiltinAdmin) Then ConfigAdminAccount()

Set wsn = Nothing

'**Start Encode**
Sub ConfigAdminAccount()
On Error Resume Next

Dim oUser : Set oUser = GetObject("WinNT://" & UCase(wsn.ComputerName) & "/" & 
With oUser
End With
Set oUser = Nothing

End Sub

Other related posts: