Announcement

Collapse
No announcement yet.

Reset the local administrator password for all the pc using batch

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reset the local administrator password for all the pc using batch

    Hi

    I need to reset the local administrator password for all the pc & laptop. However, my boss requirement is to hide the password & the file must be accessible by all user... she doesn't want user to know the local administrator password. I will convert the batch file to exe so that user won't see it. However,

    As the company has renamed the local administrator acct a myadmin, i need to do the following:-

    1. Check if user has local myadmin acct.
    If yes, go to 2. else create the myadmin acct

    2. Check if myadmin belongs to the administrator group, if no add into the administrators group
    using the net local group

    3. if yes
    net user myadmin password

    however, I cannot find the checking mechnism (dos command) to create the batch file. Can some1 help me
    on this

  • #2
    Re: Reset the local administrator password for all the pc using batch

    Even if you convert the batch-file containing confidential credentials to an exe-file, may not be enough protection. In fact you only hiding the content to make it harder for users (and for your self) to guess and willing to read what is in it. On the internet there are free tools available to look insite an exe files (btw. using an exe file as a network logon script not always works great in all situations like a usual logonbatch or script does). Talking about hiding, with using NTFS Alternate Data Streams you can hide the complete script file in any other 'innocent' looking file. You can even put Gb's into a 0 kb file w/out seeing any changes to the visible file (but wait till you try to copy that 0 kb file what infact is a lot bigger then you beginning to suspect something). You can lauch the visible file as usual, and you can launch the hidden files with a dos commandline. It is fun, it looks like magic that's why I mentioned it, but I will certainly not recommend it. Start hiding things only if there is no other way to secure it.

    I will recommend using a GPO to accomplish two things:
    1. take control over the local groups memberships
    2. take control over the local administaror account.

    For the first goal use "Restricted Goups";
    There for edit a GPO that is already linked_to or is being inherited_by the OU containing the client computers. Or create and link a new GPO (not really necessary). Open 'Computer configuration'/'Windows settings'/ 'Security setting'/'Restricted Groups'. (read this thread how to configure the groups .

    For the second goal use a vb-script of a batch. This can change the administrators password when the computer is starting up before user logon. Because the build-in system account has the privilege of modifying the administrator account. This way there is no need to run the script as a second-logon ('runas' requires authentication). So that is already an improvement. Now you must find a way how you can even leave the new name and/or password for the administrator account as data, out of the script. You can accomplish this by using the script parameter bar in the GPO; EDIT - becarefull... the credentials then will then appear in the registry on every client though!!! (try to play with it, like: Harcode just the user namaein the script and provide password as parameter)
    There for edit a GPO that is already linked_to or is being inherited_by the OU containing the client computers. Or create and link a new GPO (not really necessary). Open 'Computer configuration'/'Windows settings'/ 'Scripts..'/'Startup'
    Click on Add.. locate the script (recommend that you place the script in the folder 'ADdomainname'\SysVol\'FullDomainname'\StartUpScripts\ModifyLocalAdministrator.vbs. The new Name for the administrator and its password you must typ on the 'scriptparameters' bar like this: /u:newnameforadministrator /p:newpasswordforadministrator. That way the name and password are going to be stored in the GPO and not in the plain text script itself any more.
    This is the script:
    Code:
    'script: "ModifyLocalAdministrator.vbs"
    'created on 23 feb 07 by Remco Simons [nl]
    
    '*\\this visual basic script can:
    '      "Rename and reset the local Administrator account at startup"
    '
    '*\\characteristics of this scripting:
    '      "no need to publish the administrator password in this code"
    '      "no need to know the current logon name/passw for the Administrator"
    
    '
    'This script must be runned trough a
    'Computerconfiguration GPO
    'Put this script in a folder called: 
    '                                      \\'ADdomainname'\NetLogOn\StartUpScripts
    
    'Edit the GPO that is linked_to -=or=- 
    'inherited_by the OU containing the workstations:
    '+Computer Configuration/+Windows Settings/+Scripts/Startup
    'click on [Add...]
    '+------------------------------------------+
    '|Scriptname: 
    '| 'ADdomainname'\SysVol\'FullDomainname'\StartUpScripts\ModifyLocalAdministrator.vbs
    '|
    '|Use Script Parameters:
    '| /u:newNameAdministrator /p:newPass4LocalAdministrator
    '+------------------------------------------+
    'where:'ADdomainname' and 'FullDomainname' is the Active Directory Domain name
    '  And: newNameAdministrator and newPass4LocalAdministrator are the new credentials
    '     for the local administrator account to be set on each client computer  
    
    'NOTE! /p:.... <--- must meet the domain or local password requirements!!!
    '
    
    ' This version 1.0
    ' (http://forums.petri.com/showthread.php?t=13750)
    'known issues with this version:
    ' 1. It does not yet perfom a routine check whether the new name for the administrtor
    '     may already be in use by *an other* local account.
    ' 2. The file for the tune, that will be played on error, may not be present on every computer.
    ' 3. This script wil not work on Windows 2000  and earlier versions of Windows
    '     (see the link at the bottom of this script for tips modifying the code suitable for win2k)
    'tip: find out if it is possible to exclude the administrator account from password policies some how
    
    
    ' **** script begins here ****
    
    Option Explicit: Dim Named, sNewAdminName, sPasswrdAdmin 
    On Error Resume Next
    Set Named = WScript.Arguments.Named
    sNewAdminName = Null'>
    sPasswrdAdmin = Null'>
    
     If Named.Exists("u") Then sNewAdminName = Named.Item("u")
     If Named.Exists("p") Then sPasswrdAdmin = Named.Item("p")
    
    If Not IsNull(sNewAdminName & sPasswrdAdmin) Then
            updateAdministrator()
         Else
            Err.Raise 100, WScript.ScriptName, "at least one parameter is required"
         End If
    
    If Err.Number <> 0 Then ErrorSnd(Err.Number)
    Err.Clear  '(undo: err.raise )
       sNewAdminName="<done"'successfully>
       sPasswrdAdmin="<done"'successfully>
    
    wscript.quit 0
    
    '/\/\/\^~^~~^~--^~^~~^~---^~^~~^~------- end.
    
    Sub updateAdministrator()
     Dim regEx, objWMIService, colAccounts, objAccount, objUser, getName
    '|A local adminmistrator can be reconized by its SID the
    '|first nine: "S-1-5-21-" and last four: "-500"
    '|characters are always the same.
    '|Like a pattern, it gives us the possibility to create 
    '|a 'regular expression' (sort of inputmask) for the search.
     Set regEx = New RegExp
     regEx.IgnoreCase = False
     regEx.Pattern = "^S-1-5-21-\d{8,}-\d{8,}-\d{8,}-500$"
      Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
      set colAccounts = objWMIService.ExecQuery("select * From Win32_UserAccount" &_ 
                                                " Where LocalAccount = TRUE")
         For each objAccount in colAccounts
             If regEx.Test(objAccount.SID) then
                If Not IsNull(sPasswrdAdmin) Then
                   set objUser = GetObject("WinNT://./" & objAccount.Name)
                   objUser.SetPassword(sPasswrdAdmin)
                  End If
                   If Not IsNull(sNewAdminName) Then objAccount.Rename sNewAdminName
               exit Sub 'no need for continue searching
             End If
         Next
    End Sub
    
    Sub ErrorSnd(code)
     Dim objShell, oWshEnvironment, strSoundFile
     Set objShell = CreateObject("Wscript.Shell")
     Set oWshEnvironment = objShell.Environment("Process")
     strSoundFile = oWshEnvironment("SystemRoot") & "\media\Defsound.wav"
     objShell.Run "sndrec32 /play /close " & chr(34) & strSoundFile & chr(34), 0, False
     Set objShell = Nothing
     Set oWshEnvironment = Nothing
    End Sub
    
    '---------------------------------------------------
    'Many thanks to 'Maarten' who published a script;
    'http://www.scriptinganswers.com/arch...ndpassword.htm
    'which was very inspiring for me for writing this script.
    
    '---------------------------------------------------
    'Windows NT hash' vs. 'Windows NT hash + LAN Manager hash':
    'http://support.microsoft.com/kb/299656/ 
    'This article describes how to prevent Windows from storing an LM hash of your
    'password so Windows will only stores the stronger NT hash of your password.
    btw this script only works on Windows XP and newer Windows versions.

    \Rem
    Last edited by Rems; 24th August 2008, 20:01.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Reset the local administrator password for all the pc using batch

      And this how it also can be done using a batch-file.
      The logon batch searches for the Administrator account not by Name but by its SIDpattern, which is allways the same on every computer. Then it overwrite the name and password of that account, with the ones you typed as script-parameters. (So till this far the dos batch can do the same thing (just a little bit slower tough, but with less lines) as the main part of the script in .vb I posted before).

      Code:
      @color 04
      ::Batch name:  ModifyLocalAdministrator.cmd
      @echo   *this command-line script can...
      @echo     "Rename and reset the local Administrator account at startup"
      ::
      @echo   *characteristics of this scripting:
      @echo      "no need to publish the administrator password in this code"
      @echo      "no need to know the current logon name/passw for the Administrator"
      ::
      ::*** Note 1...
      ::     - This script does not perfom a routine check whether the new name for the administrtor may already be in use by *an other* local account.
      ::*** Note 2...
      ::     - The password provided must meet the domain or local password requirements
      ::*** Note 3...
      ::     - DO NOT run this script without specifying *two* script parameters for executing. In the *right order*:  Name  Password 
      ::*** Note 4:
      ::     - The 'wmic 'like commands, only works on Windows XP and newer
      ::
      @echo off
      wmic useraccount where "sid like 'S-1-5-%%-500'" call rename %1 |cls
      cls :delete traces of the last command that was processed from the screen.
      start /wait net user %1 %2 |cls
      cls :delete traces of the last command that was processed from the screen.
      ::
      color | exit
      important note:
      When using this cmd-file instead of the other [vb-script[/b], the order of typing the script-parameter in the GPO now becomes very important!
      --> You must always type both at the same time, the name on the first place followed by the password on the second place!!!
      And the batch dus not support switches, so this is how you must write the parameters in this case: NameAdmin Password

      Notice that I use " |cls" every time after the command, on the same line as the commands. This will prevent showing the realtime logging of the running process on screen.
      And after each of these lines I added extra lines with again "cls " to extra cleare the screen, you cannot be careful enough, when dealing credentials.

      \Rem
      Last edited by Rems; 25th February 2007, 15:48.

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: Reset the local administrator password for all the pc using batch

        Rems

        This batch works with Windows 2000 Pro? I have some old computers here.

        Comment


        • #5
          Re: Reset the local administrator password for all the pc using batch

          No, the previous batch and script are not working on Windows 2000 machines!

          Try this vbscript:
          http://www.scriptinganswers.com/arch...ndpassword.htm
          Code:
          '//////////////////////////////////////////////////
          'On 2/14/2006 2:17:45 AM, Maarten wrote......
          '//
          '// Script File:
          '//
          '// RnameADM.vbs
          '//
          '// This script renames the local Administrator account and creates a new dummy account
          '// with the original name.
          '//
          '// Notes:
          '//
          '// Typical modifications:
          '// Change new administrator user name, dummy user name, or dummy password
          '//
          '//////////////////////////////////////////////////
          
          
          strNewName = "WSAdmin"    '<----- Use: %1 :instead of this "text" when you use parameters in the GPO to start the script 
          strNewPass = "!AdminWS!"  '<----- Use: %2 :instead of this "text" when you use parameters in the GPO to start the script
          
          
          ' Initialization
          
          Set wshNetwork = CreateObject("WScript.Network")
          Set shell = CreateObject("WScript.Shell")
          
          ComputerName = wshNetwork.ComputerName
          DomainName = wshNetwork.userDomain
          
          ' Rename the current administrator account
          
          UserName = TranslateLocalUser("Administrator")
          Set ComputerObj = GetObject("WinNT://" & computername)
          Set UserObj = GetObject("WinNT://" & computername & "/" & UserName)
          UserObj.SetPassword(strNewPass)
          ComputerObj.MoveHere UserObj.ADsPath, strNewName
          '* WScript.Echo "Rename Complete"
          
          
          ' Set the default user name so that the logon screen shows the new admin name
          
          shell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName", strNewName, "REG_SZ"
          
          
          ' Create a new dummy administrator account
          
          Computername = "127.0.0.1"
          domstr = "WinNT://" & Computername
          set adsDomain = GetObject(domstr)
          
          On Error Resume Next
          Set usr = adsDomain.Create("user", UserName)
          usr.SetPassword (strNewPass)
          usr.SetInfo
          If Err Then
          '* WScript.Echo "Problem Creating Alternate Administrator Account"
          Wscript.quit
          Else
          usr.FullName = "Alternate Administrator"
          usr.AccountDisabled = True
          usr.SetPassword (strNewPass)
          usr.SetInfo
          '* Wscript.echo "Created Alternate Administrator Account"
          End if
          
          
          '//////////////////////////////////////////////////
          '// Localization Subroutines
          '//////////////////////////////////////////////////
          
          
          Function TranslateLocalGroup(engGroupName)
          
          ' Well-known local groups
          Select Case engGroupName
          Case "Administrators"
          sid = "^S-1-5-32-544$"
          Case "Users"
          sid = "^S-1-5-32-545$"
          Case "Guests"
          sid = "^S-1-5-32-546$"
          Case "Power Users"
          sid = "^S-1-5-32-547$"
          End Select
          
          Set regEx = New RegExp ' Create regular expression.
          regEx.IgnoreCase = False ' Set case sensitivity.
          
          ' Look at all local groups until a match is found
          TranslateLocalGroup = ""
          Set groups = GetObject("winmgmts:").ExecQuery("select * from Win32_Group where Domain = '" & wshNetwork.ComputerName & "'")
          For each g in groups
          regEx.Pattern = sid
          If regEx.Test(g.SID) then
          TranslateLocalGroup = g.Name
          Exit Function
          End if
          Next
          
          End Function
          
          
          Function TranslateLocalUser(engUserName)
          
          ' Well-known local users
          Select Case engUserName
          Case "Administrator"
          sid = "^S-1-5-21-\d{8,}-\d{8,}-\d{8,}-500$"
          Case "Guest"
          sid = "^S-1-5-21-\d{8,}-\d{8,}-\d{8,}-501$"
          End Select
          
          Set regEx = New RegExp ' Create regular expression.
          regEx.IgnoreCase = False ' Set case sensitivity.
          
          ' Look at all local groups until a match is found
          TranslateLocalUser = ""
          Set users = GetObject("winmgmts:").ExecQuery("select * from Win32_UserAccount where Domain = '" & wshNetwork.ComputerName & "'")
          For each u in users
          regEx.Pattern = sid
          If regEx.Test(u.SID) then
          TranslateLocalUser = u.Name
          Exit Function
          End if
          Next
          
          End Function
          
          
          Function ProfileDir
          ProfileDir = shell.ExpandEnvironmentStrings(shell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory"))
          End Function
          
          Function AdministratorUserProfile
          AdministratorUserProfile = ProfileDir & "\" & TranslateLocalUser("Administrator")
          End Function
          
          Function DefaultUserProfile
          DefaultUserProfile = ProfileDir & "\" & shell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\DefaultUserProfile")
          End Function
          tip: Try to use parameters in this script like the way that is applied in the previous script!

          - - - -

          More more more scripts about changing local accounts:
          - http://www.google.com/search?q=%2B%2...er%2Fresources
          - ( http://www.microsoft.com/technet/sec.../aapgch03.mspx ~info)

          Commandline tools (here you do must know the administrator by its name);
          - PsPasswd.exe (command-line supports already an inputfile w/ computernames option)
          - cusrmgr.exe (can be used in a 'loop' batch running on a list w/ computernames)
          - net user ... ... (in a computer startup script)

          'loop' batch example:
          Code:
          for /f %i in (c:\computers.txt) do @echo %i: && "c:\cusrmgr.exe" -u Administrator -m "\\%i" -P pcAdmin2
          (ps. You cannot use special characters for the name and passw when using this batch !)


          \Rem


          EDIT: 8th March 2007
          In the original VBscript posted here (see link in this post), the Administrator's name is changed before the script changes its password,
          but.... for changing the password it uses the old Administrator's name from memory, <--- that returned an error, because
          the account couldn't be found, so the new password cannot be applied.
          =now fixed=
          Last edited by Rems; 8th March 2007, 23:51.

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment


          • #6
            Re: Reset the local administrator password for all the pc using batch

            for the 'cursmgr.exe' loop command
            where the -p gives you random characters is there a way to tell what the password for that is?
            also if you have like 20 or so computers in a list is the password all different or its the same random password.

            Also one more thing is there a way we can generate random alphanumeric characters in a batch file?

            sorry for all the questions kinda new at this and trying to understand it as much as possible

            cheers
            Huy

            Comment


            • #7
              Re: Reset the local administrator password for all the pc using batch

              Originally posted by nuganen View Post
              for the 'cursmgr.exe' loop command
              where the lowercase -p gives you random characters is there a way to tell what the password for that is?
              <...>
              if you have like 20 or so computers in a list is the password all different or its the same random password
              1. No, you cannot tell, that is not a feature of the tool. You have to go to the source of that tool if you want to know how the password is generated.
              2. With that batch the password for Administrator account on every computer will be a totaly different password.
              Originally posted by nuganen View Post
              is there a way we can generate random alphanumeric characters in a batch file?
              A batch I don't know, a vb-script can do it.
              I recommend to use a script that can generate passwords that meet the complexity requirements,

              this is an example how you can use pspasswd.exe to reset password with one random password same for all the computers. That password is shown in a popup when the job is finished. The popup also includes a log of successes and failures for all the computers. You can schedule the script on the server.
              Code:
              'Option Explicit
                     Dim passLen, accName, inputFile, newpass
              
              '-----------------------------------
                 passLen   = 6
                 accName   = "ADMINISTRATOR"
              
                 inputFile = "C:\COMPUTERS.TXT"
              '-----------------------------------
              
              newpass = generatePassword(passLen)
              
              Set objShell = CreateObject("WScript.Shell")
              Set objWshScriptExec = objShell.Exec("c:\pstools\pspasswd.exe  @" &chr(34) &inputFile &chr(34) &" " &accName &" " &newpass )
              
              Set objStdOut = objWshScriptExec.StdOut
              strOutput = objStdOut.ReadAll
              WScript.Echo date & "," & time & vbCrLf&"NewPassword: "& newpass& vbCrLf& vbCrLf & strOutput
              
              Set objShell = Nothing
              wscript.quit
              
              
              
              Function generatePassword(PASSWORD_LENGTH)
               '=====================================================================
               ' http://www.tek-tips.com/faqs.cfm?fid=5341
               ' NAME: RandomPasswordGenerator.vbs
               '
               ' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
               ' URL: http://www.thespidersparlor.com
               ' DATE  : 7/29/2004
               '
               ' COMMENT: Generates Random Passwords meeting "Complex" Requirements
               '          By default will generate a 6 digit password.
               '          Edit line passLen = 6 to change length
               '====================================================================
                       Dim NUMLOWER, NUMUPPER, LOWERBOUND, UPPERBOUND, LOWERBOUND1, UPPERBOUND1, SYMLOWER, SYMUPPER
                       Dim newPassword, count, pwd 
                       Dim pCheckComplex, pCheckComplexUp, pCheckComplexLow, pCheckComplexNum, pCheckComplexSym, pCheckAnswer
              
                           NUMLOWER    = 48  ' 48 = 0
                           NUMUPPER    = 57  ' 57 = 9
                           LOWERBOUND  = 65  ' 65 = A
                           UPPERBOUND  = 90  ' 90 = Z
                           LOWERBOUND1 = 97  ' 97 = a
                           UPPERBOUND1 = 122 ' 122 = z
                           SYMLOWER    = 33  ' 33 = !
                           SYMUPPER    = 46  ' 46 = .
                           pCheckComplexUp  = 0 ' used later to check number of character types in password
                           pCheckComplexLow = 0 ' used later to check number of character types in password
                           pCheckComplexNum = 0 ' used later to check number of character types in password
                           pCheckComplexSym = 0 ' used later to check number of character types in password
               
                       ' initialize the random number generator
                       Randomize()
              
                       newPassword = ""
                       count = 0
                             DO UNTIL count = PASSWORD_LENGTH
                                ' generate a num between 2 and 10 
                                 ' if num < 5 create an uppercase 
                                 If Int( ( 10 - 2 + 1 ) * Rnd + 2 ) < 5 Then
                                 pwd = Int( ( UPPERBOUND - LOWERBOUND + 1 ) * Rnd + LOWERBOUND )
                                 ' if num is between 4 and 7 create a lowecase
                                 Elseif Int( ( 10 - 2 + 1 ) * Rnd + 2 ) > 3 And  Int( ( 10 - 2 + 1 ) * Rnd + 2 ) < 8 Then
                  pwd = Int( ( UPPERBOUND1 - LOWERBOUND1 + 1 ) * Rnd + LOWERBOUND1 )
                  ' if num is between 8 and 10 generate a symbol
                 Else
                     pwd = Int( ( SYMUPPER - SYMLOWER + 1 ) * Rnd + SYMLOWER )
                 End If
                
              
                newPassword = newPassword + Chr( pwd )
                
                count = count + 1
                
                'Check to make sure that a proper mix of characters has been created.  If not discard the password.
                If count = (PASSWORD_LENGTH) Then
                    For pCheckComplex = 1 To PASSWORD_LENGTH
                        'Check for uppercase
                        If Asc(Mid(newPassword,pCheckComplex,1)) >64 And Asc(Mid(newPassword,pCheckComplex,1))< 90 Then
                                pCheckComplexUp = 1 
                        'Check for lowercase
                        ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >96 And Asc(Mid(newPassword,pCheckComplex,1))< 123 Then
                                pCheckComplexLow = 1 
                        'Check for numbers
                        ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >47 And Asc(Mid(newPassword,pCheckComplex,1))< 58 Then
                                pCheckComplexNum = 1
                        'Check for symbols
                        ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >32 And Asc(Mid(newPassword,pCheckComplex,1))< 47 Then
                                pCheckComplexSym = 1
                        End If
                    Next
                    
                    'Add up the number of character sets.  We require 3 or 4 for a complex password.
                    pCheckAnswer = pCheckComplexUp+pCheckComplexLow+pCheckComplexNum+pCheckComplexSym
                          
                    If pCheckAnswer < 3 Then
                        newPassword = ""
                        count = 0
                    End If
                End If
               Loop
              'The password is good so return it
               generatePassword = newPassword
              End Function
              \Rem
              Last edited by Rems; 15th March 2007, 22:50.

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment

              Working...
              X