Changing Local Admin Passwords on the network

Every so often, it’s good practice to change passwords.  I think that everyone it IT is aware of that. One of the most overlooked passwords is the local Administrator’s password on every machine on the network.

Sure, your user’s are required to change theirs every 90 days, and you change your domain Administrator’s password at times as well. The local Administrator on your member servers and all your PCs is usually overlooked, or avoided, because you don’t have time to touch all those machines…

Well, before Windows 2008, we would have to create a script to change the local Administrator’s password, and assign that script into a Group Policy, under the Computer Logon Scripts.  Usually, the script looks like this:

Set WshNetwork = WScript.CreateObject(“WScript.Network”)
StrComputer = “.”
Set objUser = GetObject(“WinNT://” & strComputer & “/Administrator,user”)
objUser.SetPassword “new-password-here”

This would then apply the new password to the Local Administrator account once the machine got the new policy and rebooted.  The problem with using a script, however, is that the new password is in clear-text for anyone to see. (Assuming they dig thought the sysvol share).

With Windows 2008 comes Group Policy Preferences. Policy Preferences can be used to configure things like:

  • Folder Options
  • Drive Mappings
  • Printers
  • Scheduled Tasks
  • Services
  • Local Users

When using it to change the Local Administrator’s password; the password is not stored in clear-text for anyone to read snooping through the sysvol share.

To change to Local Administrator’s password for all machines assigned this Group Policy, edit the policy and choose:

<Computer Configuration> –> <Preferences> –> <Control Panel Settings> –> <Local Users and Groups>

Right click in the white space and select New –> Local User.

Configure the Action for Update, and the username of Administrator, and then your new password twice.  You can also change the expiration options, etc.

Once saved, it will now show in the list.  You can use this area to add local users if you needed to as well. Some companies may want to set the Local Administrator to disabled, and create a custom Local Administrator with a different username.

That’s it.  Once all the PCs get the new policy applied, your local administrator password will be changed.


This Post Has 5 Comments

  1. karthikeyan

    hi tim
    i have followed your blog but i am not able to change password through GPO preference method… can you guide me..


    1. Tim

      This will need to be in a 2008 domain. Create a group policy and attach it to the container (or domain) level. Follow the steps in the article for the GPO settings. PCs will need to pickup the new policy. You can check by using the “gpresult” command on the PC to verify it is applying the group policy.

  2. Le Minh Vuong

    I`m ready change password, But can not input password and confim password, can you help me,
    I Use Active Directory 2008

    1. Tim

      The password can be put in (twice) into the fields shown.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.