Jump to content



Photo

Large-scale local administrator password reset

Answered Go to the full post

  • Please log in to reply
27 replies to this topic

#1 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 24 April 2014 - 03:19

I'm installing anti-virus across a large network, 200+ machines. I can do this automated but I need to have the local administrator account enabled and the password set on each machine. I was thinking something over group policy but haven't been able to find a working script.

 

My DC is 2012 and the machines and a mixture of Windows XP and Windows 7.



Best Answer AStaley , 24 April 2014 - 15:53

You can also do it through GP Preferences I believe, I've not tried this.  Within GP Management Editor expand; Computer Configuration>Control Panel Settings>Local Users and Groups and Right click for New Local User.  Leave the action as update and select Administrator (Built-in) and then update the password fields and deploy.  At least this is where it is in 2008 R2, not setup a test environment yet for 2012 R2.

Go to the full post



#2 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 24 April 2014 - 11:43

You would do it through a batch file or vb script. It can be pushed through a gpo.

But honestly the best way to push would be through a corporate av from anyone eset, vipre, symantec, McAfee, Kaspersky, etc...

#3 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 24 April 2014 - 11:48

Why would you need local admin account, why can you not just use domain admin to install?



#4 AStaley

AStaley

    Neowinian

  • Tech Issues Solved: 4
  • Joined: 07-August 04
  • Location: United Kingdom
  • OS: Windows 8.1 Pro x64, OSX Mavericks, Elementary OS, Server 2008 R2/2012 R2, CentOS.
  • Phone: iPhone 4 (IOS7.1.1)

Posted 24 April 2014 - 12:09

As sc302 and +BudMan have both said the best way to deploy the AV to you machines would be via the built in mechanism all the corporate AV's provide using your domain admin account.  What AV are you trying to deploy, others here may have experience with it and will be able to give you pointers?



#5 Daedroth

Daedroth

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 15-June 11
  • Location: UK

Posted 24 April 2014 - 13:36

We use Sophos Endpoint, and that uses a System account that we created in AD. I would suspect that you can do something similar, rather than enabling the built-in administrator.



#6 Geoffrey B.

Geoffrey B.

    LittleNeutrino

  • Tech Issues Solved: 9
  • Joined: 25-July 05
  • Location: Ohio
  • OS: Windows 8.1u1
  • Phone: Nokia Lumia 928 WP8.1

Posted 24 April 2014 - 13:40

We use Sophos Endpoint, and that uses a System account that we created in AD. I would suspect that you can do something similar, rather than enabling the built-in administrator.

 

We use the same thing, its fantastic to use the AD account rather than a local one, we have also tied a few things in sophos to groups so that we have different levels of applications allowances and a few other things. 



#7 OP +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 24 April 2014 - 14:49

I'm deploying Avast using Avast Enterprise Administration. It would make sense to use the domain admin account to do this. Authentication to the admin shares work from the server machine to a client machine I'm trying to push to. The push fails immediately with Access Denied.

 

Log:

 

LAB06-2011: WNetAddConnection2 \\LAB06-2011\C$ LAB06-2011\administrator error 1326 (The user name or password is incorrect)

LAB06-2011: WNetAddConnection2 \\LAB06-2011\ADMIN$ LAB06-2011\administrator error 1326 (The user name or password is incorrect)

 

So, process is clearly trying to use the local admin account when in the deployment task I have the domain admin account added. As soon as I changed the local admin password, the remote install worked.

 

The point of enabling and resetting the password for all local admin accounts is also something I'd like to do for security and management reasons unrelated to this deployment.



#8 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 24 April 2014 - 14:57

http://forum.avast.c...?topic=124140.0

 

 


ACTIVE DIRECTORY

If using Active Directory you can easily create an installation package to push the client remotely through the network with Network Administrator password and in the Deploying Group. The Endpoint client will remove existing installation of avast! 4 only.  Any other avast! version or other anti-virus should be un-installed prior to Endpoint deployment.



#9 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 24 April 2014 - 15:03

http://www.advantage...k_Guide_AEA.pdf

 

Read the how to deploy section, around page 19.  I think someone messed up the install package, based on what I just briefly read..



#10 OP +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 24 April 2014 - 15:05

Yes, I know it should work. I have the account filled in on the deployment task but it's still not authenticating.

 

Edit: I did find where the account was not entered correctly. So, now it is authenticating. Basically, the log in account detail asks for domain, username, and password fields. I entered them and assumed it would use the domain field to authenticate the domain admin account to the end machine but it needed the username field to also have the full domain\username as well as the domain field.

 

 

Still I need to be able to enable and reset all local admin accounts. Some of them will have a password that needs to be updated for security reasons. So, anyone have one of these working scripts to push through group policy?



#11 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 24 April 2014 - 15:13

try this in a batch file

 

 


net user administrator anypasswordyoudecide

 

try this in a vbscript


Set oShell = CreateObject("WScript.Shell"
Const SUCCESS = 0 
 
sUser = "administrator" 
sPwd = "Password2" 
 
' get the local computername with WScript.Network, 
' or set sComputerName to a remote computer 
Set oWshNet = CreateObject("WScript.Network"
sComputerName = oWshNet.ComputerName 
 
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser) 
 
' Set the password 
oUser.SetPassword sPwd 
oUser.Setinfo

 

test first then deploy



#12 AStaley

AStaley

    Neowinian

  • Tech Issues Solved: 4
  • Joined: 07-August 04
  • Location: United Kingdom
  • OS: Windows 8.1 Pro x64, OSX Mavericks, Elementary OS, Server 2008 R2/2012 R2, CentOS.
  • Phone: iPhone 4 (IOS7.1.1)

Posted 24 April 2014 - 15:53   Best Answer

You can also do it through GP Preferences I believe, I've not tried this.  Within GP Management Editor expand; Computer Configuration>Control Panel Settings>Local Users and Groups and Right click for New Local User.  Leave the action as update and select Administrator (Built-in) and then update the password fields and deploy.  At least this is where it is in 2008 R2, not setup a test environment yet for 2012 R2.



#13 OP +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 24 April 2014 - 16:31

You can also do it through GP Preferences I believe, I've not tried this.  Within GP Management Editor expand; Computer Configuration>Control Panel Settings>Local Users and Groups and Right click for New Local User.  Leave the action as update and select Administrator (Built-in) and then update the password fields and deploy.  At least this is where it is in 2008 R2, not setup a test environment yet for 2012 R2.

Who would have thought it would be so easy. Loving group policy preferences. Every time I look there's something new and amazing :p



#14 MorganX

MorganX

    MegaZilla™

  • Tech Issues Solved: 1
  • Joined: 16-June 04
  • Location: Midwest USA
  • OS: Digita Storm Bolt, Windows 8.1 x64 Pro w/Media Center Pack, Server 2k12 - Core i7 3770K/16GB DDR3/OCZ Vector 256GB/Gigabyte GTX 760
  • Phone: HTC One 64GB

Posted 24 April 2014 - 16:36

Who would have thought it would be so easy. Loving group policy preferences. Every time I look there's something new and amazing :p

 

GP preferences is worth it's weight in gold!



#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 24 April 2014 - 18:26

"Some of them will have a password that needs to be updated for security reasons. So, anyone have one of these working scripts to push through group policy?"

So how I use to do this back in the day when I use to have to do such things was this tool

http://technet.micro...ernals/bb897543
Systems administrators that manage local administrative accounts on multiple computers regularly need to change the account password as part of standard security practices. PsPasswd is a tool that lets you change an account password on the local or remote systems, enabling administrators to create batch files that run PsPasswd against the computers they manage in order to perform a mass change of the administrator password.

PsPasswd uses Windows password reset APIs, so does not send passwords over the network in the clear.

I would create a file with the the command to talk to each machine and in the file would be all the different passwords. It is not good practice for every local admin account to have the same password. Because if one is compromised they then have local admin for every machine in your network. So I would use a password generator and generate different password for every machine. Then paste them into my script and just run it from my workstation, it would go out to every machine and change the local admin password to new one.

So I could set the local admin password on 1000+ machines in a matter of couple of minutes.