Поделиться через


How to change the password for the local administrator account on multiple machines (the easy way without scripting)

Update: *** WARNING *** These procedures are no longer recommended for any production environment, even temporarily for changing local passwords. At the time of the writing of this article, temporary use of this feature and subsequent deletion of the GPO was a common practice. However, in consideration of heightened security concerns around protecting elevated credentials (even local), this procedure is NOT RECOMMENDED, even temporarily. I left the article in place for historical reference, and I will add some alternative possibilities as another update to this article soon.

With the stricter security requirements that many of my customers have been facing lately, the question about how to change the local administrator password on 10’s, 100’s, or even 1000’s of windows machines has come up several times recently. With the introduction of Group Policy Preferences, this has become a very easy task. Here are some instructions on how to accomplish this with a minimum amount of work on the part of the administrator.

NOTES: These procedures involve making changes to group policies. Thorough testing should always be performed in a lab environment prior to making any changes to group policy in a production environment. Also, GPP’s are not supported in Windows 2000, so these procedures are only useful on XP SP2 and later operating systems.

 

1. Ensure that the managed clients have the update installed to support group policy preferences. These updates are on Windows Update and can also be found here: https://support.microsoft.com/?kbid=943729

2. On either a Windows Server 2008 server, or on a Vista SP1 client, enable the RSAT (Remote Server Administration) tools. On Vista SP1, they must be installed first, whereas on Server 2008 they only need to be enabled. After installing, enable them by using the Turn On Features option in the Programs and Features applet in the control panel. The RSAT tools can be downloaded here: https://support.microsoft.com/?kbid=941314  Note that just installing the update will not add anything to the Administrative Tools menu. You must also turn the feature on:

clip_image002

Tip: In most open windows in Vista and later operating systems, there is a search box in the upper right hand corner. If you’re not sure how or where to configure a setting, type in a keyword in the search box. In Control Panel, for example, type in something like “screensaver” (without the quotes). You will instantly see relevant settings displayed to help you modify your screensaver. You can save yourself tons of time when looking for features and settings by using this handy search capability.

3. Using the GPMC tool on either Windows Server 2008 or on the Vista SP1 machine with RSAT, note the new Preferences section when editing a group policy:

clip_image004

4. Under Computer Configuration, expand Preferences, Control Panel Settings, and then right-click on Local Users and Groups. Choose New, Local User:

clip_image006

5. Leave the Action drop-down set to Update. From the drop down box for User Name, select Administrator (built-in). Type in a password to reset the password for this account. NOTE: You MUST type in a new password for this step to work. If you do not, the changes will not be made. Optional: UNCHECK the box for Password Never Expires. The end result of these settings will be to have an expiring local password for the built-in admin account, and for the password to be changed to the new value.

You can also use this section to perform other changes, such as renaming the Administrator account or modifying other local accounts.

clip_image008

6. Note the additional settings available via the Common tab:

clip_image010

There is also a good whitepaper on this topic located here. This whitepaper covers GPP’s in more detail, along with their many capabilities.

NOTE: When using Group Policy Preferences, keep in mind that the stored password is obfuscated. From a security standpoint, it would be best to use this procedure to change the password using a separate group policy. Then, once finished, delete the group policy so that the stored password (although obfuscated) is also deleted.

Comments

  • Anonymous
    April 20, 2014
    Not recommended to use this method because any user can decrypt the password using gp decrypt
  • Anonymous
    May 14, 2014
    Pingback from Blog: Historien om en feature der aldrig skulle have v??ret der | Computer Viden information
  • Anonymous
    June 13, 2014
    Is there a new way of doing this now that Microsoft Patched the GPP to not allow Password changes via GPP? Not only is it not recommended anymore, it looks to be not possible using GPP anymore.
  • Anonymous
    June 17, 2014
    We were using same way to change password every month... New we are locked.. any other way to do this?
  • Anonymous
    June 17, 2014
    We were using same way to change password every month... New we are locked.. any other way to do this?
  • Anonymous
    June 17, 2014
    I was looking into how to do this (via GPO), but understand from your comments this is no longer possible.
    Stumbled over PsPasswd from SysInternals (i.e. Microsoft): http://technet.microsoft.com/en-us/sysinternals/bb897543.aspx which appears to be simple and secure enough to use.
    A bit more work could be needed (e.g. avoiding deployment on some desired computers, knowing the exact "username" of the local Administrator in case this has been renamed...), but I'll give that a try.
  • Anonymous
    June 18, 2014
    @Joe: You post 13 Jun 2014 2:39 PM, that »Microsoft Patched the GPP to not allow Password changes via GPP«. Can you tell me where (e.g. a KB article) I can find more information about this?
  • Anonymous
    June 18, 2014
    @Joe: Got it: "MS14-025 Vulnerability in Group Policy Preferences could allow elevation of privilege May 13, 2014" (http://support.microsoft.com/kb/2962486) which states (quote):
    The following Group Policy Preferences will no longer allow user names and passwords to be saved: •Drive Maps
    •Local Users and Groups
    •Scheduled Tasks
    •Services
    •Data Sources
  • Anonymous
    August 07, 2014
    guys, even if the password is crypted with military algorithm is easy to delete for a skilled user. This method is used to secure the 99% of workstation in a company.
  • Anonymous
    January 02, 2015
    May I recommend checking out AGASync.com. It allows you to easily change all of your local admin passwords everyday for every machine with a unique password for each. It can be integrate with your AD. You can recover the password from your cell phone or a call center app. This is a professional solution that is fast and easy to setup. It helps you with HIPAA, FERPA and PCI compliance with regards to this issues.