Tuesday, June 1, 2010

Reset Administrator Password on all Domain Computers

There are a lot of ways to do this.  There are free utilities, retail products, and scripts galore, but there’s also a dirt-simple and effective way:

  1. Create a shared folder on a domain member server (domain controller, file server, doesn’t matter)
  2. Restrict permissions on the folder and share so that ONLY the “Domain Computers” group has READ access.  Grant the “Domain Admins” group full control.
  3. Create a .BAT script with the code below and save it in the shared folder as “adminpwd.bat”
  4. Using Group Policy, assign a “startup script” to point to the UNC path and script filename, link it to the appropriate OUs in Active Directory.  (I strongly suggest using a new test OU and move just a few computers into it to test at first)
  5. Reboot your computers and verify the change is executed.
@echo off
net user administrator <new_password>


(where “<new_password>” is replaced with the actual password)



Bonus:




  • Create another shared folder called “Logs” or whatever and configure it so that Domain Admins have full control and “Domain Computers” have Change/Modify on NTFS and share permissions


  • Add a second line to the .BAT file to write a log file using a redirect (see below) to the shared “logs” folder.  Then you can watch the progress pile up in one place.



@echo off 
net user administrator <new_password>
echo Password updated >\\servername\logs\%computer%.txt

2 comments:

Carl Taylor said...

Even easier way. Via GP

Create GPO (assumes you have Win7 PCs and have created PolicyDefinitions folder under Win2003 Server Policies and copied ADMX files from Win7 PC to that location) called reset_local_admin_Password

From Win7 PC using RSAT tool connect to Forest and drill down. Open Computer Configuration then Preferences then Control Panel Settings then Local Users and Groups. Right click and select new user, in user name select Administrator (built-in), adjust password and confirm and ensure that user msu hcange password at next logon is not ticked. This will at next GPO refresh force password change on all PCs to ammended value. Once setup easy to change periodically if required.

skatterbrainz said...

Excellent tip - thank you!