[gptalk] Re: Using Group Policy to change local admin password

  • From: "Jason Williams" <jason.williams14@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 5 Dec 2007 10:03:46 -0800

Thanks Jamie. I will give this a shot and let you know how it goes.



On Dec 4, 2007 3:10 PM, Nelson, Jamie R Contr 72 CS/SCBAF <
Jamie.Nelson.ctr@xxxxxxxxxxxxx> wrote:

> Yes, scripting is the way to go. The script you had linked would work,
> but you're assuming the builtin administrator account is named the same
> on every system. That is usually the case, but I would use a WMI script
> that enumerates the accounts based on the SID.
> See the attached scripts, which should do the trick for you.
> 1) Save both files to your local system (in the same folder).
> 2) Take the .txt extension off of the files.
> 3) Edit the ChgLocalAdmPwd.vbs in Notepad and set the password you want
> near the bottom of the script. Save your changes.
> 4) Run the Encode.vbs script and type the file name (ChgLocalAdmPwd.vbs)
> of the script you want to encode. It must reside in the same folder you
> are executing Encode.vbs from.
> 5) ChgLocalAdmPwd.vbe will be generated in the same folder. If you look
> at the file in Notepad you will see that the bottom section of the code
> (everything after the **Start Encode** statement) will be scrambled.
> 6) Run the ChgLocalAdmPwd.vbe as a group policy startup script. You
> might want to additionally replace Authenticated Users "read" rights on
> the scripts folder in the GPO with "Domain Computers" so that nosy users
> can't browse to SYSVOL and decode the script. VBS encryption isn't very
> strong, but is enough to deter the average user.
> Hope this helps.
> Regards,
> Jamie Nelson
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jason Williams
> Sent: Tuesday, December 04, 2007 4:41 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Using Group Policy to change local admin password
> Hello everyone.
> Just have a couple of questions about using GP to change a local admin
> account on couple thousand PC's.
> I've searched through the archives here to find some information. From
> what i've found, would be better to use this as a 'startup script' under
> computer configuration, as opposed to a 'logon script' under user
> configuration? That correct?
> Also, I am not the best scripter (but I am learning) so I was looking
> for solutions available.
> I did find this script:
> http://www.gpanswers.com/community/viewtopic.php?t=768&sid=a2d4614336e8d
> 74e4caad9d5ed489970
> <http://www.gpanswers.com/community/viewtopic.php?t=768&sid=a2d4614336e8
> d74e4caad9d5ed489970>
> Would this be sufficient for what I am trying to do? Should I be looking
> for something else? What about error checking, making sure the correct
> accounts password is changed?
> Appreciate the help.
> Jason

Other related posts: