Group Policy resetting of local user passwords

Quick blog today - I'm presenting at the Technet Roadshow event in Birmingham today (Harrogate is next week, and London the week following), and am connected to the Internet by something which must be a 2K dial-up line shared between 20 users - slow doesn't begin to describe the experience. I'm presenting again in 30 minutes, so if I hit the post button in the next minute, there's always the chance that this might actually get posted before I have to be on stage again. 

Following my presentation on Group Policy this morning, I was asked whether it was possible to reset local user passwords on clients through Group Policy. This isn't directly possible, but there are a couple of ways I came up with to solve this problem. Both will require a level of scripting, but perfectly "do-able". One would be to apply a computer startup script through Group Policy which runs as a system account, which would have the appropriate privileges to be able to reset the local administrator password. The other would be run it centrally from a server-side script connecting to each machine in turn.

Both scripts would need to use ADSI (Active Directory Services Interface) to be able to change the password - when I'm on a better link, I'll have dig out a script from the Technet Script Centre (Center) where there will be plenty of decent examples. From the server-side would probably be more secure in that the script wouldn't be visible from the client at-all, and hence it's easier to hide passwords from eyes if you needed to. Of course, you could generate a random GUID and use that as a password for more security if you never needed to log on as the local administrator.

Remember also that for the server solution, you could use something like dsquery to get a current list of all the client workstations from Active Directory. If you wanted to go the whole hog, you could add in a simple database table through accessed through ADO to keep track of which machines have had their local password reset and when. The world's your oyster with this one, but you get the idea.

...and I said this was going to be a quick blog extry (not)!

Comments (3)

  1. Here you have a Script what tries to do something similar.

    Change local administrator password remotely

    by Christian Sawyer

  2. Jesper Lonnqvist says:

    If you don’t want to write a ADSI dependent script, would it not be possible to just run:

    net user administrator password

    from a simple .bat file?

  3. Jesper – that is a great way of doing the same thing, and something which I had genuinely forgotten about within the pretty extensive capabilities of the "net.exe" application, so many thanks for that. Having a recent Windows/Exchange/AD developer background and hence working with ADSI for more years that I care to remember, that it where I personally felt most comfortably and the thing I thought of first. Old habits die hard I guess. Once again, thanks.

Skip to main content