Change Local Admin Pwd?



  • I need to change the local admin password at two sites on around 10 PCs per site.

    The GPP option no longer is available, free tools fail.

    I'm looking at some type of scripted solution I can run that will also provide me with a Success or Failed message as well, no point running a script if you're not sure it worked.

    Clients are W7 & W10.

    Anyone have any suggestions?



  • No RMM Software? like Screen Connect? (Can always push it via GPO Software Deployment and have full access)

    Do you have WMIC access to those PCs?

    Can you remote execute powershell?

    Can you set logon scripts with GPO?

    The above questions are more about asking if you have confirmed access, not whether your task will work. I can give you commands to do what you want through any of the above means, if you have access.

    If the free utilities don't work, you may not have these items enabled:
    Remote Admin Through Firewall (netsh firewall set service RemoteAdmin enable)
    WMI (netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135)

    Tell us a little more about how you plan to send commands to those PCs. I know you wanted GPO, but if that is not available, we'll have to find another way.

    I've never met a windows PC that couldn't be made managable via remote commands, some are very trying, but all can be overcome.



  • @JasGot said in Change Local Admin Pwd?:

    No RMM Software? like Screen Connect? (Can always push it via GPO Software Deployment and have full access)

    Do you have WMIC access to those PCs?

    Can you remote execute powershell?

    Can you set logon scripts with GPO?

    The above questions are more about asking if you have confirmed access, not whether your task will work. I can give you commands to do what you want through any of the above means, if you have access.

    If the free utilities don't work, you may not have these items enabled:
    Remote Admin Through Firewall (netsh firewall set service RemoteAdmin enable)
    WMI (netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135)

    Tell us a little more about how you plan to send commands to those PCs. I know you wanted GPO, but if that is not available, we'll have to find another way.

    I've never met a windows PC that couldn't be made managable via remote commands, some are very trying, but all can be overcome.

    I've tried another free gui tool and had more success, but I still received the dreaded 'RPC server is unavailble' error, which I'm guessing is due to the local windows firewall.

    In answer to these:
    Do you have WMIC access to those PCs?
    ? How can I find out?
    Can you remote execute powershell?
    I'm not sure, but I'm guessing on the W7 clients I can, but on the W10 clients possibly not.
    Can you set logon scripts with GPO?
    Yes.

    Thanks for any help.



  • I'd either deploy LAPS via GP or, if you have an RMM, deploy a script that performs this task.



  • @siringo said in Change Local Admin Pwd?:

    Thanks for any help.

    Do you know that your domain admin account can login?

    Have you tried Intelliadmin?



  • @siringo said in Change Local Admin Pwd?:

    ? How can I find out?

    Post the answer to this command from an elevated cmd prompt:

    wmic /NODE:"servername or IP Address" /USER:"yourdomain\administrator" OS GET Name

    It will prompt you for the password.



  • @JasGot said in Change Local Admin Pwd?:

    @siringo said in Change Local Admin Pwd?:

    Thanks for any help.

    Do you know that your domain admin account can login?
    Yep it can log onto/into all domain PCs.

    Have you tried Intelliadmin?
    No. I do have Teamviewer though.



  • @JasGot said in Change Local Admin Pwd?:

    @siringo said in Change Local Admin Pwd?:

    ? How can I find out?

    Post the answer to this command from an elevated cmd prompt:

    wmic /NODE:"servername or IP Address" /USER:"yourdomain\administrator" OS GET Name

    It will prompt you for the password.

    I ran that on one of the remote PCs and yes it did prompt for a password. Was that what you were after?



  • @siringo : If you have teamviewer, why not run this from the command line backend?

    net user adminUserName password
    

    You only have approximately 20 computers so it shouldn't take more than a few minutes.

    If you have to create a new admin account :

    net user adminUserName password /add
    net localgroup adaministrators adminUserName /add


  • @siringo said in Change Local Admin Pwd?:

    I ran that on one of the remote PCs and yes it did prompt for a password. Was that what you were after?

    Did you give it the password? Did it correctly respond with the os?



  • @manxam said in Change Local Admin Pwd?:

    @siringo : If you have teamviewer, why not run this from the command line backend?

    net user adminUserName password
    

    You only have approximately 20 computers so it shouldn't take more than a few minutes.

    If you have to create a new admin account :

    net user adminUserName password /add
    net localgroup adaministrators adminUserName /add
    

    This will do it.



  • @manxam said in Change Local Admin Pwd?:

    @siringo : If you have teamviewer, why not run this from the command line backend?

    net user adminUserName password
    

    You only have approximately 20 computers so it shouldn't take more than a few minutes.

    If you have to create a new admin account :

    net user adminUserName password /add
    net localgroup adaministrators adminUserName /add
    

    Sorry, what's the command line backend? I'm running TV v10. AFAIK I have to log into each PC, run CMD type in the command and log off.

    I was hoping for something a little less laborious.



  • @siringo said in Change Local Admin Pwd?:

    Sorry, what's the command line backend?

    If you are more familiar with GPO, set a STARTUP script (Not a logon script) (startup and shutdown scripts run with system privileges) to run those two commands: net user and net localgroup, then reboot (or wait for reboot) the PC.



  • Thanks for the help fellas, I'll throw some brain power behind it and see what I end up with.



  • @siringo said in Change Local Admin Pwd?:

    I was hoping for something a little less laborious.

    Most RMMs have the ability to run a command without logging into the GUI. I haven't used TV but just assumed that it would offer this as well. I could be wrong...



  • @manxam said in Change Local Admin Pwd?:

    @siringo said in Change Local Admin Pwd?:

    I was hoping for something a little less laborious.

    Most RMMs have the ability to run a command without logging into the GUI. I haven't used TV but just assumed that it would offer this as well. I could be wrong...

    AFAIK it doesn't, but it might. ScreenConnect, MeshCentral, Salt, etc. all do.



  • That's one of the most important features of tools like that. We use it as much as the remote screen access.



  • @scottalanmiller said in Change Local Admin Pwd?:

    That's one of the most important features of tools like that. We use it as much as the remote screen access.

    Agreed!



  • @siringo

    saltstack, best CM with windows support



  • @Emad-R said in Change Local Admin Pwd?:

    @siringo

    saltstack, best CM with windows support

    just spent 6 seconds looking at the web site, looks too complex for my needs. Too many big scarey buzzwords.



  • @siringo said in Change Local Admin Pwd?:

    @Emad-R said in Change Local Admin Pwd?:

    @siringo

    saltstack, best CM with windows support

    just spent 6 seconds looking at the web site, looks too complex for my needs. Too many big scarey buzzwords.

    https://www.mangolassi.it/topic/19681/creating-a-salt-master-on-fedora-30



  • @siringo said in Change Local Admin Pwd?:

    @Emad-R said in Change Local Admin Pwd?:

    @siringo

    saltstack, best CM with windows support

    just spent 6 seconds looking at the web site, looks too complex for my needs. Too many big scarey buzzwords.

    SS can do a lot. It can also be a simple way to run remote commands 🙂



  • Can you use the netuser command via bat file, deployed using group policy startup script?
    87a3817a-2c8e-44cf-814f-be50e34bbd4f-image.png



  • @wrx7m said in Change Local Admin Pwd?:

    Can you use the netuser command via bat file, deployed using group policy startup script?
    87a3817a-2c8e-44cf-814f-be50e34bbd4f-image.png

    That looks familiar.



  • @siringo

    I felt the same at SS, but do you want to always look for tools or do you want one tool that can do everything, think about that and listen to this while you do

    Youtube Video



  • @siringo said in Change Local Admin Pwd?:

    @Emad-R said in Change Local Admin Pwd?:

    @siringo

    saltstack, best CM with windows support

    just spent 6 seconds looking at the web site, looks too complex for my needs. Too many big scarey buzzwords.

    After you have installed and configured the initial setup for the salt-master and salt-minion its somewhat pretty straight forward.

    Create your adminuserpass.ps1 file in /srv/salt/ with something like this within the file

    $AdminPlainPass = "Whos-Your-Daddy1"
    $AdminSecurePass = $AdminPlainPass | ConvertTo-SecureString -AsPlainText -Force
    
    Set-LocalUser -Name 'adminuser' -Password $AdminSecurePass
    

    Create your adminuserpass.sls file in /srv/salt/ with something like this within the file

    adminuserpass:
      cmd.script:
        - source: salt://adminuserpass.ps1
        - shell: powershell
        - env:
          - ExecutionPolicy: "bypass"
    

    Run the salt command with something like this.

    salt 'saltminion-host' state.apply adminuserpass


  • Hey thanks for all the help everyone, it is greatly appreciated.

    I've decided to go with LAPS as this is part of an overall 'let's tighten up security' project I've got going and my thoughts were, you can't go wrong if you go with the Vendor's recommendation.

    I'm distributing the LAPS client software via Startup GPO which is working well ATM. Half way through the setup, but have stopped coz the weekend started.

    I'll take a look at Salt as I need to broaden my horizons.

    Thanks again folks.



  • @siringo said in Change Local Admin Pwd?:

    Hey thanks for all the help everyone, it is greatly appreciated.

    I've decided to go with LAPS as this is part of an overall 'let's tighten up security' project I've got going and my thoughts were, you can't go wrong if you go with the Vendor's recommendation.

    I'm distributing the LAPS client software via Startup GPO which is working well ATM. Half way through the setup, but have stopped coz the weekend started.

    I'll take a look at Salt as I need to broaden my horizons.

    Thanks again folks.

    Fyi, to deploy to clients you just need to copy the dll and register it with regsvr32. But good thing you're not trying to deploy it with GP's software installation features.



  • @flaxking said in Change Local Admin Pwd?:

    Fyi, to deploy to clients you just need to copy the dll and register it with regsvr32. But good thing you're not trying to deploy it with GP's software installation features.

    What's wrong with using GP software deployment for LAPS? This has always been my method using their msi and I've never experienced an issue.



  • @manxam said in Change Local Admin Pwd?:

    @flaxking said in Change Local Admin Pwd?:

    Fyi, to deploy to clients you just need to copy the dll and register it with regsvr32. But good thing you're not trying to deploy it with GP's software installation features.

    What's wrong with using GP software deployment for LAPS? This has always been my method using their msi and I've never experienced an issue.

    I've just had a lot of issues with the GP's built in Software Installation feature, and I've heard the same from other techs. What I've seen is installations getting stuck and thus locking people out of their computer, and also it installing again even when the software was successfully installed.

    I would imagine the LAPS msi should be so small it wouldn't give much issues, but IMO GP's software installation feature should be left untouched.


Log in to reply