Recommended Posts

I'm installing anti-virus across a large network, 200+ machines. I can do this automated but I need to have the local administrator account enabled and the password set on each machine. I was thinking something over group policy but haven't been able to find a working script.

 

My DC is 2012 and the machines and a mixture of Windows XP and Windows 7.

As sc302 and +BudMan have both said the best way to deploy the AV to you machines would be via the built in mechanism all the corporate AV's provide using your domain admin account.  What AV are you trying to deploy, others here may have experience with it and will be able to give you pointers?

  On 24/04/2014 at 13:36, Daedroth said:

We use Sophos Endpoint, and that uses a System account that we created in AD. I would suspect that you can do something similar, rather than enabling the built-in administrator.

 

We use the same thing, its fantastic to use the AD account rather than a local one, we have also tied a few things in sophos to groups so that we have different levels of applications allowances and a few other things. 

I'm deploying Avast using Avast Enterprise Administration. It would make sense to use the domain admin account to do this. Authentication to the admin shares work from the server machine to a client machine I'm trying to push to. The push fails immediately with Access Denied.

 

Log:

  Quote

 

LAB06-2011: WNetAddConnection2 \\LAB06-2011\C$ LAB06-2011\administrator error 1326 (The user name or password is incorrect)

LAB06-2011: WNetAddConnection2 \\LAB06-2011\ADMIN$ LAB06-2011\administrator error 1326 (The user name or password is incorrect)

 

So, process is clearly trying to use the local admin account when in the deployment task I have the domain admin account added. As soon as I changed the local admin password, the remote install worked.

 

The point of enabling and resetting the password for all local admin accounts is also something I'd like to do for security and management reasons unrelated to this deployment.

http://forum.avast.com/index.php?topic=124140.0

 

 

  Quote

ACTIVE DIRECTORY

If using Active Directory you can easily create an installation package to push the client remotely through the network with Network Administrator password and in the Deploying Group. The Endpoint client will remove existing installation of avast! 4 only.  Any other avast! version or other anti-virus should be un-installed prior to Endpoint deployment.

  On 24/04/2014 at 14:57, sc302 said:

Yes, I know it should work. I have the account filled in on the deployment task but it's still not authenticating.

 

Edit: I did find where the account was not entered correctly. So, now it is authenticating. Basically, the log in account detail asks for domain, username, and password fields. I entered them and assumed it would use the domain field to authenticate the domain admin account to the end machine but it needed the username field to also have the full domain\username as well as the domain field.

 

 

Still I need to be able to enable and reset all local admin accounts. Some of them will have a password that needs to be updated for security reasons. So, anyone have one of these working scripts to push through group policy?

try this in a batch file

 

 

  Quote

net user administrator anypasswordyoudecide

 

try this in a vbscript

  Quote

Set oShell = CreateObject("WScript.Shell"
Const SUCCESS =  
 
sUser = "administrator" 
sPwd = "Password2" 
 
' get the local computername with WScript.Network, 
' or set sComputerName to a remote computer 
Set oWshNet = CreateObject("WScript.Network"
sComputerName = oWshNet.ComputerName 
 
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser) 
 
' Set the password 
oUser.SetPassword sPwd 
oUser.Setinfo

 

test first then deploy

You can also do it through GP Preferences I believe, I've not tried this.  Within GP Management Editor expand; Computer Configuration>Control Panel Settings>Local Users and Groups and Right click for New Local User.  Leave the action as update and select Administrator (Built-in) and then update the password fields and deploy.  At least this is where it is in 2008 R2, not setup a test environment yet for 2012 R2.

  • Like 3
  On 24/04/2014 at 15:53, AStaley said:

You can also do it through GP Preferences I believe, I've not tried this.  Within GP Management Editor expand; Computer Configuration>Control Panel Settings>Local Users and Groups and Right click for New Local User.  Leave the action as update and select Administrator (Built-in) and then update the password fields and deploy.  At least this is where it is in 2008 R2, not setup a test environment yet for 2012 R2.

Who would have thought it would be so easy. Loving group policy preferences. Every time I look there's something new and amazing :p

  • Like 2
  On 24/04/2014 at 16:31, Xenosion said:

Who would have thought it would be so easy. Loving group policy preferences. Every time I look there's something new and amazing :p

 

GP preferences is worth it's weight in gold!

"Some of them will have a password that needs to be updated for security reasons. So, anyone have one of these working scripts to push through group policy?"

So how I use to do this back in the day when I use to have to do such things was this tool

http://technet.microsoft.com/en-us/sysinternals/bb897543

Systems administrators that manage local administrative accounts on multiple computers regularly need to change the account password as part of standard security practices. PsPasswd is a tool that lets you change an account password on the local or remote systems, enabling administrators to create batch files that run PsPasswd against the computers they manage in order to perform a mass change of the administrator password.

PsPasswd uses Windows password reset APIs, so does not send passwords over the network in the clear.

I would create a file with the the command to talk to each machine and in the file would be all the different passwords. It is not good practice for every local admin account to have the same password. Because if one is compromised they then have local admin for every machine in your network. So I would use a password generator and generate different password for every machine. Then paste them into my script and just run it from my workstation, it would go out to every machine and change the local admin password to new one.

So I could set the local admin password on 1000+ machines in a matter of couple of minutes.

  • Like 2

I feel the need to point out that passwors in batch / vbscript files via Group Policy are not secure and can be read by all users (or malware) if they know where to look.  It is convenient, but not 'secure'.
 

  On 24/04/2014 at 15:53, AStaley said:

You can also do it through GP Preferences I believe, I've not tried this.  Within GP Management Editor expand; Computer Configuration>Control Panel Settings>Local Users and Groups and Right click for New Local User.  Leave the action as update and select Administrator (Built-in) and then update the password fields and deploy.  At least this is where it is in 2008 R2, not setup a test environment yet for 2012 R2.

 
Also, passwords in GP Prefrences are NOT secure - They are jumbled up, still available to any user (or malware) on any domain joined PC that knows where to look.  Again it is convenient, but not 'secure'.
 

  Quote

However, the password is not secured. Because the password is stored in SYSVOL, all authenticated users have read access to it.[/size]
http://blogs.technet.com/b/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx


You can use a script like this from the server that takes in a text file list of PC's to remotely change passwords. A little less convenient, and each PC needs to be on when you run the script, but the passwors are never exposed to users this way.

- J

  On 24/04/2014 at 21:01, Colonel-Sanders said:

I feel the need to point out that passwors in batch / vbscript files via Group Policy are not secure and can be read by all users (or malware) if they know where to look.  It is convenient, but not 'secure'.

 

 

Also, passwords in GP Prefrences are NOT secure - They are jumbled up, still available to any user (or malware) on any domain joined PC that knows where to look.  Again it is convenient, but not 'secure'.

 

You can use a script like this from the server that takes in a text file list of PC's to remotely change passwords. A little less convenient, and each PC needs to be on when you run the script, but the passwors are never exposed to users this way.

- J

Yes, you are correct. I don't like scripts for this reason. I understand GPP doesn't hide the password either (a dialog box warns of this). I am willing to compromise and remove this policy when it's purpose is fulfilled ;) A nice trade off between meticulous detail and convenience.

Looking at PsPasswd that BudMan mentioned it would seem to be a good option for securely changing passwords on a network.  Reading the text I can see how it would be used to change the admin password on multiple PC's but I'm not clear on how you would set different passwords for each PC, PsPasswd would seem to set the same password against all PC's within the file specified.  Presumably to set different passwords against different PC's this would need to be used in conjunction with some form of script/batch file running from the admin PC which also had a separate file containing a list of passwords?

Not sure with Avast, but with other pieces of software, for the admin credentials to work, we've had to disable Simple File Sharing.

 

Regarding your installation, just create a package in the management console, then install using GPO or another desktop management.

 

I skimmed some, but it looked like you're trying to push from server?

By design reading the @file with a list of computer yes it would set the same password for each machine - bad admin! ;)

So just have your script that uses the command for each machine, something like this

pspasswd \\computer1 -u domainadmin -p domainadminpassword administrator O*o]Z>0_4}+J

pspasswd \\computer2 -u domainadmin -p domainadminpassword administrator &z63K683td11

pspasswd \\computer3 -u domainadmin -p domainadminpassword administrator =+2]3)L{o81Q

You only need to use the domainadmin and password if your account does not have permission on the remote box. Which is normally shouldn't in an enterprise, not a good idea to run with an account that has equiv of domainadmin, etc. but if your setup has say your admins accounts in the local admin group then you don't need to specify it in the commandline

example - here is me changing administrator account password to Test123 on my nas box in my home network from my pc at home where my account matches up with an admin account on the storage box so do not need to send creds to auth to the machine in the cmd line.

C:\>pspasswd \\storage administrator Test123

PsPasswd v1.23 - Local and remote password changer

Copyright © 2003-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Password successfully changed.

So you put all commands in a batch and run it, and if you send the output to a file you have a listing of what machines where off or failed on, etc.

C:\>pspasswd \\notstorage administrator Test123

PsPasswd v1.23 - Local and remote password changer

Copyright © 2003-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Error changing password:

The RPC server is unavailable.

Now yes all the password are in the script you create. But you are the admin :) When I use to to have to do this I would print out the passwords and put in the vault. then put my script and log in secure location that other admins had access to.

Also - as mentioned it uses the MS api's and the password is not sent in clear - now would it be possible for say someone sniffing while you do this to decode?? Not sure on that - prob yes!! But your not doing this over the public internet, your doing it over YOUR network.. So if your users are sniffing on your network that is on you in the first place ;)

post-14624-0-50408500-1398376662.png

Okay interesting, something I will need to keep in mind.

 

How would you go about creating a script for say 500 people? For me a simple batch file would be best as my VBS skill's are lacking.  But then I wouldn't fancy going through and editing 500 lines for machine names and separate passwords.

I gave a vb script example above. 1 script, 1 gpo in active directory...and boom, 500 computers get the script and execute it.

 

You can do a few things that would make it tough for someone to get the password if they were browsing and find something out in the open. 

 

there are a few ways to encrypt your scripts so that your password isn't in the open.  kixtart you can do what is known as tokenizing, you can use resource hacker to compile your script so the info isn't readily available.  You can encrypt with microsoft script encoder.  You could simple obsure the batch file by making it an exe, it would require someone with a good computer understanding of what is going on to think about it.  As always, you do not want to keep this active for a long period of time.  As with anything, the encryption used is only a way to keep it safe for a short period of time.  Put it on and get it off as quickly as possible. 

  On 24/04/2014 at 15:53, AStaley said:

You can also do it through GP Preferences I believe, I've not tried this.  Within GP Management Editor expand; Computer Configuration>Control Panel Settings>Local Users and Groups and Right click for New Local User.  Leave the action as update and select Administrator (Built-in) and then update the password fields and deploy.  At least this is where it is in 2008 R2, not setup a test environment yet for 2012 R2.

 

How we do it at work.  We have to change the admin passwords when an IT employee leaves the company.  Works great.

"How would you go about creating a script for say 500 people"

 

Well how I did it was leverage excel to copy and paste into columns, simple enough to dump computer list from your domain - paste into excel, plenty of tools to generate lists of passwords paste into excel - then just use something like

 

=CONCATENATE(A1," ",B1,C1," ",D1," ",E1) to put it together and then just copy paste that into text editor and save as .bat or .cmd and bing bang zoom done.  If it takes you more than 2 minutes to generate such a file - your doing it wrong ;)

 

post-14624-0-43117000-1398424072.png

 

 

 

 

 

 

Nice solution, I was thinking it would be more complicated.  I had it in my mind that there would be two text files one for password and another for computers and then some form of recursive command line to run through the files.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I've got a basic black and white laser printer that's connected via USB and doesn't do wifi etc. I think I'm going to be just fine.
    • Edge 138 is out with AI-powered history search and other changes by Taras Buria Microsoft has released Edge 138, the latest major update for the browser. Version 138.0.3351.55 introduces some interesting changes and new features, such as AI-powered history search. There are also several bug fixes and security patches. For regular users, the biggest and most important change in Edge 138 is AI-powered history search. This feature allows you to find sites in your history using synonyms, phrases, or misspelled words. Microsoft uses an on-device model, which does not send your data anywhere. Note that this feature is rolling out gradually, which means it might take a few days or weeks to show up on your system. Another useful change is new performance notifications. Performance and Extensions Detector notifications may appear in the main menu when the browser detects performance dips to help users learn about available performance-optimization tools. Autofill settings received a new consent toggle, which allows Microsoft to improve the autofill capabilities by collecting field names as you browse. This only applies to field names, such as "First Name, "Email," etc. It does not send the data you enter or autofill to Microsoft. Other changes include the following: Use the Primary work profile as the default profile to open external links. With this feature, for Windows, Edge checks if the Primary Work Profile exists and makes it the default profile for opening external links if available. Microsoft 365 Copilot Chat Summarization in Microsoft Edge Context Menu. This feature helps users quickly unpack and ask questions about their open page. Copilot on the Microsoft Edge New Tab Page (NTP). Users may see suggested work and productivity-related Copilot prompts in their search box on the NTP page. Adding support for viewing Sensitivity labels applied to a Microsoft Information Protection (MIP) Protected PDF. Enterprise customers can view sensitivity labels applied to MIP protected PDF to be well informed of the data classification to enable them to handle such sensitive documents. And here is what was fixed: Fixed an issue that caused WebDriver automation to fail in Microsoft Edge versions 133 and later. Fixed an issue where re-enabled textarea elements remained non-editable. This issue affected activating a role assignment in Privileged Identity Management. Finally, Edge 138 patches six security vulnerabilities, three of which were Microsoft Edge-specific, and the remaining three originated from Chromium. You can find details about those fixes here. The next Microsoft Edge update, version 139, is expected in the week of August 7, 2025.
    • “Never trust any statistics that you didn't forge yourself.”
    • Per the linked article: "Based on testing performed by Microsoft in December 2024 using Geekbench 6 Multi-core score comparing a selection of Windows 10 PCs with Intel Core 6th, 8th, and 10th generation processors and Windows 11 PCs with Intel Core 12th and 13th generation processors." I get that this is just advertising and all, but damn, I can smell the BS all the way over here. How about benchmarking 10 vs 11 on that same 13th gen processor? Apples and oranges make a lovely fruit salad but a terrible comparison. I mean shoot, my Windows 10 PC running a Ryzen 7 is faster than a Core2Duo running Windows 7, so Windows 10 is clearly faster. 🙄
    • KB5060829 installed in a test VM and the option isn't even there under "Taskbar behaviours". Installed it on a second VM, same. Installed it on metal... same. Typical quality of Nadella's Microsoft. If i doesn't shrink the taskbar vertical height down as @seeprime is implying, what's the point?
  • Recent Achievements

    • Week One Done
      suprememobiles earned a badge
      Week One Done
    • Week One Done
      Marites earned a badge
      Week One Done
    • One Year In
      runge100 earned a badge
      One Year In
    • One Month Later
      runge100 earned a badge
      One Month Later
    • One Month Later
      jfam earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      563
    2. 2
      +FloatingFatMan
      177
    3. 3
      ATLien_0
      168
    4. 4
      Michael Scrip
      125
    5. 5
      Xenon
      121
  • Tell a friend

    Love Neowin? Tell a friend!