Re: change the local administrator password for every machine in AD

maybe the script runs under the logging-on user that does not have privilege
to change admin password

"Alan" <> ha scritto nel messaggio
news:...
> Hi Experts,
>
> I want to change the local administrator password for every machine. I
> have tried many time, but failed. After client machine restarted, the xp
> will say the script has some erre at line 3, col 1 .the code maybe
> 8007007B
>
>
>
> Code 8007007B - The filename, directory name or volume syntax is
> incorrect
>
>
>
> I did the following steps, but failed. The machine's local administrator
> password was not changed.
>
> Can you tell me why the line 3 has problem? Thanks.
>
>
>
> 1. Save the following scripts in a pwd.vbs file .
>
> strComputer="."
>
> Set objUser=GetObject("WinNT://" & strComputer & "/Administrator,user")
>
> objUser.SetPassword "abc@123"
>
> objUser.SetInfo
>
>
>
> 2. Select an OU, in its properties, select policy, new a group policy,
> name it, click edit
>
>
>
>
>
>
> 3. In the following windows, select startup, click properties, click
> Show Files¡*, copy the script file (pwd.vbs) into this folder, click
> Add¡*,
>
>
>
>
>
>
> 4. Popup the following window, click Browse¡*
>
>
>
>
>
> 5. Select pwd.vbs in this window, and click ok.
>
>
>
>
>
>
> 6. Run command ¡° gpupdate /force ¡° to refresh group policy.
>
>
>
>
>
> 7. After the machine restarted, the local administrator password will be
> changed to ¡°abc@123¡±
>
>
>

"achinda" <> wrote in message
news:...
>
> Hi this is awesome. i tested out and it works fine. but i do have a
> issue since the admin password will get changed only when domain admin
> logs in to the particular PC.
>
> pls assist me on how should i allow restricted users to change the
> password through this script ?
>
>
> BTW- Do i have to grant restricted users as domain admin till they
> logged in and password gets changed ?????

Only if you want to turn control of your entire infrastructure over to any
of your users that has a passing technical knowledge.

Even if the script would work for a non-admin, what would be the point of
changing the admin password to a string that appears in a script that is
accessible to all of your users? You might just as well send them all a
message telling them the old password and asking them to logon to change it
to some new value.

But why do you even want to wait until a privileged account logs on before
the password is changed? Here is your original script:

strComputer="."
Set objUser=GetObject("WinNT://" & strComputer & "/Administrator,user")
objUser.SetPassword "abc@123"
objUser.SetInfo

Do you know that "." is shorthand for "the computer on which I am running
this script"? If you are logged on as a domain admin (or any other account
that is a member of the administrators group on all the workstations of
interest), all you need to do is give the strComputer variable the name of
the machine where you want to change the admin password. If this is a small
number, you could do it like this:

strComputers = array("computer1","computer2","computer3","compute r4")
for each strComputer in strComputers
Set objUser=GetObject("WinNT://" & strComputer &
"/Administrator,user")
objUser.SetPassword "abc@123"
objUser.SetInfo
next

Of course, you might want to add some error checking and logging to make
sure this succeeded in all cases.

/Al

"achinda" <> wrote in message
news:...
>
> HI
>
> we got 300 computers in the domain. it's not practical to provide all
> PC names in the script ?
>
> Any other way of doing this ?
>
> Regards
> Achinda

The more machines you have, the more important it is to maintain a
comprehensive list of all NetBIOS names. You can use the logon script to
compile the list, e.g. like so:
@echo off
echo %date% %time% %UserName% >> \\Server\Share\%ComputerName%

"Pegasus [MVP]" <> wrote in message
news:#...
>
> "achinda" <> wrote in message
> news:...
>>
>> HI
>>
>> we got 300 computers in the domain. it's not practical to provide all
>> PC names in the script ?
>>
>> Any other way of doing this ?
>>
>> Regards
>> Achinda
>
> The more machines you have, the more important it is to maintain a
> comprehensive list of all NetBIOS names. You can use the logon script to
> compile the list, e.g. like so:
> @echo off
> echo %date% %time% %UserName% >> \\Server\Share\%ComputerName%

or you can get a list of the computers that are currently accessible with:

net view

Alternately, you could get the names of all computers defined in active
directory by writing a script to query AD, using csvde.exe, or using MMC w/
ADU&C and extracting from an OU, or from the results of a search.

/Al