Group Policy resetting of local user passwords

  • Article

Quick blog today - I'm presenting at the Technet Roadshow event in Birmingham today (Harrogate is next week, and London the week following), and am connected to the Internet by something which must be a 2K dial-up line shared between 20 users - slow doesn't begin to describe the experience. I'm presenting again in 30 minutes, so if I hit the post button in the next minute, there's always the chance that this might actually get posted before I have to be on stage again. 

Following my presentation on Group Policy this morning, I was asked whether it was possible to reset local user passwords on clients through Group Policy. This isn't directly possible, but there are a couple of ways I came up with to solve this problem. Both will require a level of scripting, but perfectly "do-able". One would be to apply a computer startup script through Group Policy which runs as a system account, which would have the appropriate privileges to be able to reset the local administrator password. The other would be run it centrally from a server-side script connecting to each machine in turn.

Both scripts would need to use ADSI (Active Directory Services Interface) to be able to change the password - when I'm on a better link, I'll have dig out a script from the Technet Script Centre (Center) where there will be plenty of decent examples. From the server-side would probably be more secure in that the script wouldn't be visible from the client at-all, and hence it's easier to hide passwords from eyes if you needed to. Of course, you could generate a random GUID and use that as a password for more security if you never needed to log on as the local administrator.

Remember also that for the server solution, you could use something like dsquery to get a current list of all the client workstations from Active Directory. If you wanted to go the whole hog, you could add in a simple database table through accessed through ADO to keep track of which machines have had their local password reset and when. The world's your oyster with this one, but you get the idea.

...and I said this was going to be a quick blog extry (not)!