General discussion

Locked

Log on script

By voldar ·
Hello guys. I need help in a very tricky situation, and any sugestions you may have would be very much appreciated.
I have a 250 computers network. I have AD, DHCP, DNS installed. I want to change the local administrator password (on each computer)but I don't want to do that by going to each user place. I want to do that by using a script policy applied at the machine level. The problem is that I am not that good on scripting, and I wonder if you may help me with detailed sollutions to do that. I thank you a lot and waiting for your suggestions.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to Log on script

WEll, try this.
First, write a BAT file (call it PASSWORD.BAT) and have it have the following:

NET USER ADMINISTRATOR "your password here"

Save it on a domain controller.
Now, open Group Policy, choose your Default policy.
Expand Computer Configuration -> Windows Settings -> Scripts ->Startup.

Double-click on Startup, and ADD your BAT file to it.

Ok. Click OK to save the change, and that should be it.

Now when a machine starts up, it will pull the default group policy, which will load the BAT file and run it with System rights. That will be enough rights for it to modify the local machine Administrator password, setting it to whatever you put in the BAT file.

hope this helps

Collapse -

by voldar In reply to

Poster rated this answer.
It really helped me .. thanks a lot!

Collapse -

by lumberjack In reply to Log on script

There are 3 basic steps:

1a. Check existing local admins groups to ensure that the local Administrators group is 'clean'. Some users may have added their own id into the local admins (who would do such a thing?), or there may be NT global groups that shouldn't be there.

1b. Remove unauthorised users or groups
2. Prepare batch files to apply the new admin password.
3. Apply the new password (may take some weeks to capture all workstations


Stage 1 - Check Local Administrators group
1. Create the following batch file (localgrp.bat) to be called from each user?s logon script. This will provide a log of the local administrators group on each NT workstation. NB Do not send the output to a single file, it cannot handle multiple logons at the same time.

NB xxxxxxx is a central server location to place the collected data

@ECHO OFF
rem Next line prevents duplicates
IF EXIST xxxxxxx\%COMPUTERNAME%.LGP GOTO END
rem -------------------------------------------
rem Only execute if this is an NT machine
IF "%OS%"=="Windows_NT" GOTO NT
IF "%windir%"=="C:\WINNT" GOTO NT
IF "%windir%"=="C:\WINNT.000" GOTO NT
IF "%SYSTEM32%"=="SYSTEM32" GOTO NT
GOTO END
rem -------------------------------------------
:NT
ECHO Userid: %USERNAME% Computername: %COMPUTERNAME% >xxxxxxx\%COMPUTERNAME%.LGP
NET LOCALGROUP Administrators >> xxxxxxx\%COMPUTERNAME%.LGP
:END
2. Run the above for approx. 3 weeks to capture most workstations
3. Review each .LGP file, checking for the following:
? Any users/groups that should not be in the local admins group on the workstation
? Ensure that the Domain Admins group is always shown.
NB An alternative tool for obtaining the above information is the NT Resource Kit utility ?showmbrs?. You need to execute SHOWMBRS cccccccc\Administrators, where cccccccc is the Computername for each NT workstation.

the rest will be on following comment - otherwise it would of been truncated!

Collapse -

by lumberjack In reply to

Stage 2 ? Prepare new local admin password
1. Create a list of current NT workstations. These are held on the NT computer accounts database (part of the SAM). The best way to do this is to use the NT Resource Kit utility NETDOM. Run the following:
NETDOM MEMBER >C:\TEMP\ACCOUNTS.TXT
2. Import the above text file into Microsoft Excel. Select ?Delimited? on first screen then ?Other \? on 2nd screen.
3. Delete the information lines at the top of the file.
4. Delete any NT servers from the file (we don?t want to update the Administrator password on our servers!).
5. Delete all columns except column C (the one listing the computer names)
6. Save the file as text-only (LOCADMIN.TXT in the example batch file below). This file should now contain a list of all known NT Workstation computer names.
7. Next, create a batch file on your workstation as follows (call it LOCADMIN.BAT). This batch file will execute an AT command for each Computername listed in LOCADMIN.TXT from the previous step.

@ECHO OFF
ECHO.
ECHO Starting AT commands for password change
ECHO.
FOR /F %%A IN (LOCADMIN.TXT) DO AT \\%%A hh:mm cmd /c NET USER ADMINISTRATOR newpass

Where hh:mm is the time you wish to run the AT command. The PC must be online for the command to be actioned, therefore choose a suitable time when most PCs will be switched on (e.g. mid morning or mid afternoon). newpass is the new password you want to set (must be 6 chars or more).


comment 2 contains final details

Collapse -

by lumberjack In reply to

Stage 3 ? Apply new local admin password
1. To action the password change execute LOCADMIN.BAT from your workstation (best to run it from a command prompt).
The batch file must be run before the time specified in hh:mm.
NB You must be logged on as a Domain Administrator for the AT commands to have sufficient authority to run on the workstations. It is for this reason also that the commands cannot be run via user?s logon scripts.
2. Repeat step 2 each day for approx. 3 weeks. This will enable you to capture most, if not all workstations. You may want to schedule an additional AT command to run the LOCADMIN.BAT file from your workstation each business day.

Collapse -

by voldar In reply to

thanks for the details

Collapse -

by voldar In reply to Log on script

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums