Tuesday, June 1, 2010

Reset Administrator Password on all Domain Computers

There are a lot of ways to do this.  There are free utilities, retail products, and scripts galore, but there’s also a dirt-simple and effective way:

  1. Create a shared folder on a domain member server (domain controller, file server, doesn’t matter)
  2. Restrict permissions on the folder and share so that ONLY the “Domain Computers” group has READ access.  Grant the “Domain Admins” group full control.
  3. Create a .BAT script with the code below and save it in the shared folder as “adminpwd.bat”
  4. Using Group Policy, assign a “startup script” to point to the UNC path and script filename, link it to the appropriate OUs in Active Directory.  (I strongly suggest using a new test OU and move just a few computers into it to test at first)
  5. Reboot your computers and verify the change is executed.
@echo off
net user administrator <new_password>


(where “<new_password>” is replaced with the actual password)



Bonus:




  • Create another shared folder called “Logs” or whatever and configure it so that Domain Admins have full control and “Domain Computers” have Change/Modify on NTFS and share permissions


  • Add a second line to the .BAT file to write a log file using a redirect (see below) to the shared “logs” folder.  Then you can watch the progress pile up in one place.



@echo off 
net user administrator <new_password>
echo Password updated >\\servername\logs\%computer%.txt
Post a Comment