Automated Change of Local Administrator Password

This would not be useful to people who disable the Administrator account, but here's one way we came up with to change the Administrator account password on computers on a regular basis. Admittedly it's not the coolest or most secure method, but it's one method. :)

I've seen various methods and mediums people use to change the Administrator account: vbscript, the 'net user' command, logon scripts, GPO, etc. Using the vbscript in this method can be deployed to computers using Altiris Deployment Console, or for an automated approach, Software Delivery Solution.

1. Save the following script into a .vbs file.

'Set New Administrator Password
'vbscript
strComputer = "."
strDate = Date()
strPassword = "SamplePassword"
strUser = "Administrator"

firstSlashPos = instr(strDate, "/")
' Get the text up to (but not including) the first slash
strMonth = left(strDate, firstSlashPos - 1)
strMonth = strMonth * 3
strPassword = strPassword + Cstr(strMonth)

Set objUser = GetObject("WinNT://" & strComputer & "/" & strUser)
objUser.SetPassword strPassword

The script looks at the current date, parses the first number before the forward slash (the month), performs some math to that number, and appends it to the end of your base password. So, someone needing to use the Administrator account could think about what month it is and add that to the end of the constant part of the password. In this case it would be "SamplePassword21". Of course, a more complex algorithm should be used if you want it to be more secure. If the formula is very easy, the wrong person could predict the password. The script could be changed to parse just about anything and append it to the password.

2. Create a collection to add computers to that will have their Admin passwords changed. It's useful to create a collection of computers that should be excluded from the password change and exclude them from the previous collection. Another collection for testing could be created too.

3. Create a Software Delivery Package and Program for this script. Use the setting "Package files will be deleted from the client computer if unused for:" and set it to "0 days (delete immediately)". This is so the vbscript file with the embedded password is not stored on the local computer where it could stumbled upon. Also, make sure the UNC path the package is saved at only has access for the Altiris account that the Agent runs as so a regular person couldn't browse to the package and see it.

4. Create a Software Delivery Task for this package and program and link it to the collection in step 2. A second test task could be created and linked to the test collection. Configure the schdule of the task to run at 12AM on day 1 of every month.

Having done the previous, you will have a task that runs every month on your computers to change the Administrator password. The computer tech who needs to use the Administrator account for building/troubleshooting will know what the password is based on the criteria you establish in the script, such as the month.