Tuesday, June 29, 2010

Reset all Local Admin Passwords: The Even-Easier Way

This post will cover another, easy, SUPER-easy, and FREE way to automatically reset the local "Administrator" password on multiple computers in your domain.  This assumes you have at least one Windows Server 2008 domain controller, and at least Windows Vista or Windows 7 clients. 

Even if you still have a Windows Server 2003 AD environment, you only need one 2008 domain controller.  This tutorial is aimed at Windows 7 clients only.  It can be easily adapated to work with Windows XP and Vista clients.  Remember that you need to deploy the (free) Group Policy Preference Client Side Extensions for Windows XP (KB943729), or the Group Policy Preference Client Side Extensions for Windows Vista (KB943729), since it only comes with Vista SP1, and Windows 7.

If you need the Extension for Windows XP 64-bit, click here.

Ingredients:

  • Windows Server 2008 Active Directory Domain Controller
  • Windows Vista or Windows 7 clients
  • A Group Policy Object
  • A .BAT script file
  • A cup of coffee and a snack
  • Some cool tunes in your headphones

Let's get started…

First, create a new Group Policy Object from within the Group Policy Management Console (GPMC).  Name it something like "Local Scheduled Tasks", if you plan on managing scheduled tasks in one bucket.  Otherwise, you can name it something like "Reset Local Admin Pwd" or whatever.  The choice is yours. Relish the freedom.

Right-click the new GPO and select "Edit".

Create the Scheduled Task

Navigate to: Computer Configuration / Preferences / Control Panel Settings / Scheduled Tasks.  Right-click on "Scheduled Tasks" and choose "New --> Scheduled Task (Windows Vista and Later)"

image

New Scheduled Task (Windows Vista and Later)

image

Note the Action, Security Options, and "Configure For" settings.

Set the Trigger

image

I'm using the "startup" trigger.  You can assign a typical schedule as well (hourly, daily, weekly, monthly, etc.) if you prefer.

Actions

image

The nice part of this is that it doesn't matter if you have created the .bat file yet or not.  You can enter the path and name and then create it, or create it and then configure the scheduled task.  Either way works.  Since the task is more involved than the script, I started with that first.

The Script

The "local_admin_pwd_set.bat" file itself only needs the following code…

@echo off
net user administrator <your_password_here>
echo Password has been reset >%windir%\temp\adminpwd.set

Note: Line 3 is optional.  I just added that so it creates a log file on the client to help troubleshoot when the script last ran.  Be sure to replace "<your_password_here>" with something clever and difficult to hack.  The coolest aspect is that when you need to change the password on all the computer, just edit this script, save it, and reboot the computers (or wait for the scheduled task, if you chose that route).

Save the .bat file into a (hidden) shared folder.  Grant permissions on the shared folder (NTFS and Share-level) to allow "Domain Computers" to have Read access.  Grant "Domain Admins" Full Control.  Remove "Everyone" and "Users" and "Authenticated Users".

Click "Apply" and "OK".  That's it.

Putting it to Work

Now, if you named the file correctly, and saved it in the appropriate UNC shared folder path, and you applied the correct permissions to it, the next step is to link the GPO to a test OU.

Create a test OU in Active Directory Users and Computers (ADUC).  Move a test computer account into the new OU.  Link the GPO to the new OU.  Wait a few minutes, then restart the test computer and look for the log file to be created afterwards.  Verify the change by logging on in Safe Mode (if the Administrator account is still disabled, as it is by default).

What Can Go Wrong?

  • If you use the local "Builtin\System" account to run the task, but forget to grant the "Domain Computers" group read-only permissions to where the .bat file is shared, it won't execute.
  • If you leave the "Everyone" group, or "Users" or "Authenticated Users" or anyone besides "Domain Admins" in the permissions set for the shared folder, you may be exposing the password.
  • If you have a policy setting in place that enforces password complexity and you attempt to set a password that doesn't comply, it won't work.
  • If your users rarely restart their computers, you may want to try another method of running the task such as a recurring schedule, or upon login, etc.
  • If the computers are off the network a lot (think laptops), you may want to consider another approach.
  • If users are members (direct or indirect) of the local "Administrators" group, they can subvert this and even gain access to the .bat script with very little effort.  DON'T make users into Administrators of their computers!

Final Thoughts

This is not the only way to accomplish this goal.  There are many others.  I've explained a few others previously (on this blog).  You can find shareware and retail products to do this.  You have options.  But, you are not required to spend money to make this work.  For added security, consider wrapping the .bat script command into something more protected, like a compiled .exe, or a tokenized KiXtart script file, even an encoded VBScript or PowerShell file.  Have at it.  Have fun.

No comments: