Client Management Suite

 View Only
Back to discussions
Expand all | Collapse all

Change local admin password on all manage PCs'

  • 1.  Change local admin password on all manage PCs'

    Posted Nov 04, 2010 11:16 AM

    What would be the best way to change all the local admin passwords on managed PC's.

    I'm sure thats an easy one for you CMS gurus..

    Ta.

    Joe

    using CMS7



  • 2.  RE: Change local admin password on all manage PCs'

    Posted Nov 04, 2010 01:17 PM

    You can create a job to run a VBscript to reset that password. 

    Here's the vbscript:

    strComputer = "."
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")
    objUser.SetPassword "passwordhere"
    objUser.SetInfo

     

    Let me know if you need any more help with it.



  • 3.  RE: Change local admin password on all manage PCs'

    Posted Nov 04, 2010 02:10 PM

    I'm not sure how that's all transfered to the client, but that code is obviously in clear text.  You may want to encode the vbscript:

     

    http://msdn.microsoft.com/en-us/library/d14c8zsc(v=VS.85).aspx

     

    Hmmm, says its not supported in Vista/7.  That sucks.  Will still work if you're an XP shop tho.

     

    You can also use Group Policy Preferences to set the local admin password.



  • 4.  RE: Change local admin password on all manage PCs'

    Posted Nov 04, 2010 03:40 PM

    The scripts are transferred locally to be run, i.e. in ds it's in the temp folder, in ns in the software delivery, etc.  Even after it's deleted it can be recovered unless it's specifically overwritten.  Encoding the vbs is a little more secure, but it can be easily decoded with a click of a button

    If you're worried about security you should pass in the password as an argument so the only time it's exposed is when it's running.  Make sure it runs in a hidden window as well.

    strpassword = wscript.Arguments(0)
    strComputer = "."
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")
    objUser.SetPassword strpassword
    objUser.SetInfo

    - Brent



  • 5.  RE: Change local admin password on all manage PCs'

    Posted Nov 04, 2010 10:41 PM

    There is an Altiris/Symantec partner company Arellia which sells an application called Local Security Solution.  This allows you to fully randomize the password on each machine, and have an audit trail for when it is disclosed (and optionally notify the end-user or some other email address).  Take a look at it at http://www.arellia.com/solutions.aspx.  We use the old version 6.1 for NS6 and it works great.  Much more secure also than having one shared password!  It is a bit inconvenient at times to have to "check out" the password, but if you have any concerns over IT staff abusing their permissions, it is a good tool to have.



  • 6.  RE: Change local admin password on all manage PCs'

    Posted Nov 04, 2010 10:44 PM

    There have been several other threads on Connect about this same question, more information to be had in the following:

    https://www-secure.symantec.com/connect/forums/what-easiest-way-change-my-admin-password

    https://www-secure.symantec.com/connect/forums/setting-local-admin-password



  • 7.  RE: Change local admin password on all manage PCs'

    Posted Nov 05, 2010 06:12 AM

    Thanks for feedback guys. So lets say I create a vbscript job to push this out to all clients. We have a lot of remote users who may not connect to the VPN very often. If I schedule this to run every day for 4 weeks, will this push it out to every machine each day. Is there anyway I can create a dynamic filter to push it out to. So it only goes to new machines (if you get my drift). I dont really know if theres a performance saving here or not!!

     

    Joe.



  • 8.  RE: Change local admin password on all manage PCs'

    Posted Nov 05, 2010 09:00 AM

    I'm not as familiar with NS7 software deliveries as I am with 6, but I'd be surprised if you didn't have an option to deliver it "as soon as possible".

    In 6 when you did that you could just leave that enabled and everything that dropped into that collection (target group in 7) would then receive the task 1 time and execute it as soon as they could.

    I unfortunately am out of the office and don't have access to my NS7 console.  Could anyone else confirm this?



  • 9.  RE: Change local admin password on all manage PCs'
    Best Answer

    Posted Nov 18, 2010 08:55 AM

    Just found an exisitng job under 'real Time systems Manager' - I can change any local account here it here and apply to all machines.

    cheers

    Joe



  • 10.  RE: Change local admin password on all manage PCs'

    Posted Nov 18, 2010 09:42 AM

    Joe,

    We implement a Job in Deployment Solution with only this command in a Task:

            NET USER Administrator newpassword

     

    Saludos!

    Hugo



  • 11.  RE: Change local admin password on all manage PCs'

    Posted Dec 17, 2010 04:01 PM

    If you have Active Directory in play, you can use Group Policy Preferences to set the local Administrator password dynamically on every computer in the domain, and new computers added to the domain will pick up the assigned password for the local Administrator account.  If you have AD running on Windows 2003 Servers, you can use the Windows7 Group Policy editor to set the local Admin password.  Alternately, if you have AD running on Windows 2008 Servers, use the Group Policy editor on Win2k8 Server.

     

    http://social.technet.microsoft.com/Forums/en/winserverGP/thread/b1e94909-bb0b-4e10-83a0-cd7812dfe073