Thoughts on Technology
Changing Local Admin Passwords on the network
Every so often, it’s good practice to change passwords. I think that everyone it IT is aware of that. One of the most overlooked passwords is the local Administrator’s password on every machine on the network.
Sure, your user’s are required to change theirs every 90 days, and you change your domain Administrator’s password at times as well. The local Administrator on your member servers and all your PCs is usually overlooked, or avoided, because you don’t have time to touch all those machines…
Well, before Windows 2008, we would have to create a script to change the local Administrator’s password, and assign that script into a Group Policy, under the Computer Logon Scripts. Usually, the script looks like this:
Set WshNetwork = WScript.CreateObject(“WScript.Network”)
StrComputer = “.”
Set objUser = GetObject(“WinNT://” & strComputer & “/Administrator,user”)
This would then apply the new password to the Local Administrator account once the machine got the new policy and rebooted. The problem with using a script, however, is that the new password is in clear-text for anyone to see. (Assuming they dig thought the sysvol share).
With Windows 2008 comes Group Policy Preferences. Policy Preferences can be used to configure things like:
- Folder Options
- Drive Mappings
- Scheduled Tasks
- Local Users
When using it to change the Local Administrator’s password; the password is not stored in clear-text for anyone to read snooping through the sysvol share.
To change to Local Administrator’s password for all machines assigned this Group Policy, edit the policy and choose:
<Computer Configuration> –> <Preferences> –> <Control Panel Settings> –> <Local Users and Groups>
Right click in the white space and select New –> Local User.
Configure the Action for Update, and the username of Administrator, and then your new password twice. You can also change the expiration options, etc.
Once saved, it will now show in the list. You can use this area to add local users if you needed to as well. Some companies may want to set the Local Administrator to disabled, and create a custom Local Administrator with a different username.
That’s it. Once all the PCs get the new policy applied, your local administrator password will be changed.