Discussion:
Change Local Admin Password with GPO?
(too old to reply)
Joe
2007-10-18 19:07:01 UTC
Permalink
Is it possible to use a GPO to set/change the password on the local
administrator account on WinXP workstations?

Thanks,
Joe
Florian Frommherz [MVP]
2007-10-18 19:33:41 UTC
Permalink
Howdie!
Post by Joe
Is it possible to use a GPO to set/change the password on the local
administrator account on WinXP workstations?
No, you can't. You could actually do it by script, but that's pretty
unsecure as people could read that plain text password.

Have a look at PsPasswd from Sysinternals:
http://www.microsoft.com/technet/sysinternals/utilities/pspasswd.mspx

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Florian Frommherz [MVP]
2007-10-19 07:13:05 UTC
Permalink
Howdie!
Post by Florian Frommherz [MVP]
No, you can't. You could actually do it by script, but that's pretty
unsecure as people could read that plain text password.
You could, also try to use a script that does a

NET USER Administrator %1

where %1 would be the local admin's password. But instead of typing the
password, you use %1 as above and specify the new local Admins password
as a script parameter. You can do that with Group Policy..

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Joe
2007-10-22 14:24:01 UTC
Permalink
Florian,
Thanks for the great response. This is a big help.
Joe
Post by Florian Frommherz [MVP]
Howdie!
Post by Florian Frommherz [MVP]
No, you can't. You could actually do it by script, but that's pretty
unsecure as people could read that plain text password.
You could, also try to use a script that does a
NET USER Administrator %1
where %1 would be the local admin's password. But instead of typing the
password, you use %1 as above and specify the new local Admins password
as a script parameter. You can do that with Group Policy..
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Joe
2007-10-22 15:13:02 UTC
Permalink
Florian,
Sorry, but I'm a real cut & paste scripter, and I'm not sure how to define a
password variable as you suggest. I've looked through TechNet and haven't
found a real example. Can you point me a bit further in the right direction?

Thanks,
Joe
Post by Florian Frommherz [MVP]
Howdie!
Post by Florian Frommherz [MVP]
No, you can't. You could actually do it by script, but that's pretty
unsecure as people could read that plain text password.
You could, also try to use a script that does a
NET USER Administrator %1
where %1 would be the local admin's password. But instead of typing the
password, you use %1 as above and specify the new local Admins password
as a script parameter. You can do that with Group Policy..
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Florian Frommherz [MVP]
2007-10-22 15:23:14 UTC
Permalink
Howdie Joe!
Post by Joe
Sorry, but I'm a real cut & paste scripter, and I'm not sure how to define a
password variable as you suggest. I've looked through TechNet and haven't
found a real example. Can you point me a bit further in the right direction?
If you want to try the NET USER thing, I'd be sufficient to create a
.BAT file with notepad and save it to a network location where people
can access it. Within that BAT file script, you type the following:

NET USER ADMINISTRATOR %1

You then create a Group Policy and a computer startup script with the
.BAT-script you copied to the network location. For "Script Parameters"
you type in that password that you want to there to be.

I must admin I haven't tested this thoroughly and am not quite sure as
to how secure this is and where the "script parameters" (= your admin
password) is stored and who can read that and has access to that.

You can still give the Scripting Guys' script a try:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul07/hey0703.mspx

Or Pspasswd:
http://www.microsoft.com/technet/sysinternals/utilities/pspasswd.mspx

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Joe
2007-10-22 15:36:04 UTC
Permalink
Florian,
Wow, thanks for the fast response. This should get me going on the script.
Thanks again for all your help.

Joe
Post by Florian Frommherz [MVP]
Howdie Joe!
Post by Joe
Sorry, but I'm a real cut & paste scripter, and I'm not sure how to define a
password variable as you suggest. I've looked through TechNet and haven't
found a real example. Can you point me a bit further in the right direction?
If you want to try the NET USER thing, I'd be sufficient to create a
..BAT file with notepad and save it to a network location where people
NET USER ADMINISTRATOR %1
You then create a Group Policy and a computer startup script with the
..BAT-script you copied to the network location. For "Script Parameters"
you type in that password that you want to there to be.
I must admin I haven't tested this thoroughly and am not quite sure as
to how secure this is and where the "script parameters" (= your admin
password) is stored and who can read that and has access to that.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul07/hey0703.mspx
http://www.microsoft.com/technet/sysinternals/utilities/pspasswd.mspx
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Mark Heitbrink [MVP]
2007-10-22 17:45:51 UTC
Permalink
Post by Florian Frommherz [MVP]
If you want to try the NET USER thing, I'd be sufficient to create a
..BAT file with notepad and save it to a network location where people
can access it. [...]
It should be the "Startup"-Folder of the specific GPO or the NETLOGON
that should be defined with the DFS path. a custom UNC will not work.

Best: Save the file inside the share NETLOGON
path in GPO:: \\yourdomain.end\netlogon\nameofscript.bat

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Florian Frommherz [MVP]
2007-10-23 08:03:13 UTC
Permalink
Howdie!
Post by Mark Heitbrink [MVP]
Post by Florian Frommherz [MVP]
If you want to try the NET USER thing, I'd be sufficient to create a
..BAT file with notepad and save it to a network location where people
can access it. [...]
It should be the "Startup"-Folder of the specific GPO or the NETLOGON
that should be defined with the DFS path. a custom UNC will not work.
Hahrgh! You got me - once more.

cheers,

F.
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Joe
2007-10-24 14:07:03 UTC
Permalink
Mark and Florian,
Thanks for the great advise. I'll be testing this today.

Thanks,
Joe
Post by Mark Heitbrink [MVP]
Post by Florian Frommherz [MVP]
If you want to try the NET USER thing, I'd be sufficient to create a
..BAT file with notepad and save it to a network location where people
can access it. [...]
It should be the "Startup"-Folder of the specific GPO or the NETLOGON
that should be defined with the DFS path. a custom UNC will not work.
Best: Save the file inside the share NETLOGON
path in GPO:: \\yourdomain.end\netlogon\nameofscript.bat
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
surra ahmed
2011-05-25 23:55:26 UTC
Permalink
how to change local password as administrator
Post by Joe
Is it possible to use a GPO to set/change the password on the local
administrator account on WinXP workstations?
Thanks,
Joe
Post by Florian Frommherz [MVP]
Howdie!
No, you can't. You could actually do it by script, but that's pretty
unsecure as people could read that plain text password.
http://www.microsoft.com/technet/sysinternals/utilities/pspasswd.mspx
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Post by Florian Frommherz [MVP]
Howdie!
You could, also try to use a script that does a
NET USER Administrator %1
where %1 would be the local admin's password. But instead of typing the
password, you use %1 as above and specify the new local Admins password
as a script parameter. You can do that with Group Policy..
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Post by Joe
Florian,
Thanks for the great response. This is a big help.
Joe
Post by Joe
Florian,
Sorry, but I'm a real cut & paste scripter, and I'm not sure how to define a
password variable as you suggest. I've looked through TechNet and haven't
found a real example. Can you point me a bit further in the right direction?
Thanks,
Joe
Post by Florian Frommherz [MVP]
Howdie Joe!
If you want to try the NET USER thing, I'd be sufficient to create a
.BAT file with notepad and save it to a network location where people
NET USER ADMINISTRATOR %1
You then create a Group Policy and a computer startup script with the
.BAT-script you copied to the network location. For "Script Parameters"
you type in that password that you want to there to be.
I must admin I haven't tested this thoroughly and am not quite sure as
to how secure this is and where the "script parameters" (= your admin
password) is stored and who can read that and has access to that.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul07/hey0703.mspx
http://www.microsoft.com/technet/sysinternals/utilities/pspasswd.mspx
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Post by Joe
Florian,
Wow, thanks for the fast response. This should get me going on the script.
Thanks again for all your help.
Joe
Post by Mark Heitbrink [MVP]
It should be the "Startup"-Folder of the specific GPO or the NETLOGON
that should be defined with the DFS path. a custom UNC will not work.
Best: Save the file inside the share NETLOGON
path in GPO:: \\yourdomain.end\netlogon\nameofscript.bat
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Post by Florian Frommherz [MVP]
Howdie!
Hahrgh! You got me - once more.
cheers,
F.
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Post by Joe
Mark and Florian,
Thanks for the great advise. I will be testing this today.
Thanks,
Joe
Loading...