Changing Local Administrator Password on Win2000/XP machines
Novell Cool Solutions: Tip
Digg This -
Updated: 14 Feb 2007
Larry B. wrote: I have a small network of about 70 W2K and XP machines. They are in a Workgroup and not in an NT or AD domain. We recently had a person who was terminated and the question was did he know the local admin account password. Luckily he didn't, but I then wondered if there is a way with in ZENworks (I have ZENworks 4.01 and N/W 6.0 SP4) that I can change the Local Administrator's password so I don't have to personally visit each machine. If so, can you give some examples? Thanks.
The secret is... NET USER.
This site, http://www.ithowto.com/zenworks/netmgt.htm, has a very good example of how this command can be, um... used.
Anyone out there got any other suggestions? Fire when ready.
- James Fraser
- Gilles Normandeau
- Matthew Pierce
- Paul Pedron
- Mike Garcia
- David M. Lange
- Kris Smith
- Joseph Sears
- David Hamel
- Tony Pedretti
- John Klein
- Eric Ho
- Chris Graham
- Klaus Arpe
- James Quinn
- Christopher Farkas New
I created a workstation policy package for all our student stations that runs "net user username password /active" on system startup. This package is associated to all some of our student stations to activate and set a password on an account or image that is by default inactive. Works like a charm.
Here is a script we ran in the "Run After Distribution" area of a simple NAL object:
net user <userID> <newPassword> echo <UserID> password was reset on %DATE% at %TIME% >>C:\Support\Applications.txt
The "Script Engine Location" is %*WinSysDir%\cmd.exe /c
The second line of the script is our way of documenting locally when a NAL object was run on a workstation.
The object is set to "Run as secure system user" in the Run Options tab and is associated with all workstations with the "Force Run" option checked off.
What we did was create a batch file with $echo off and added in the net use command. Then we created an Application object and pushed it out as secure system user. We do this about once every 3-6 months just for security's sake. Was very simple and user never knew anything was going on.
Another suggestions is this:
Get the Windows 2000 Resource kit, and grab the file cusrmgr.exe. This file is the easiest to use. I'm not sure if it works on XP (it might though as W2k and XP aren't that much different for this kind of thing.) But then you can make a batch file and then add it to a ZENworks App Object.
The batch file should probably look something like this:
cusrmgr.exe -u administrator -P [yourpasswordhere] (Without the brackets of course)
Then select the workstations or users you want to push it out to, add the app object to it/them and there you go. Works like a champ.
Or.... SysInternals.com has a product called PsPasswd that will do this in a batch file.
I have a ZENworks distribution that changes the Admin Password on the local box. This shows how to leverage ZENworks components.
New Simple Application Object called "ChngPass"
Identification | Icon
Uncheck - Show progress (if you want to deploy in stealth mode)
Distribution Options | Options
Check - Distribute Always
Reboot - Never
Run Options | Application;
Path to file - %*WINSYSDIR%\NET.exe
Parameters - USER Administrator <password>
(substitute <password> w/password to be changed to.)
Check - Force run as user if application is workstation associated
Run Options | Environment
Executable security level - Run as secure system user
(this will run as system rights)
Availability | Distribution Rules
Add OS - OS version 2000/XP
We use bat2exec, by Doug Boling (available for free download all over the web, including this site) to compile our net use batch file and call it "reset.com" or something more ambiguous. Then we load the .com as a service "pwreset" or something more ambiguous with srvany.exe "Microsoft" and some registry entries.
The nice thing about this is that to change the passwords on your PCs you just push out a modifed reset.com to the PCs and you changed the administrator password. Also, if some clown changes the administrator password, as soon as the PC is rebooted the password is changed back to whatever is set in the "pwreset" service.
The only drawback is that the reset.com file can only be hidden but is not secure. If you change the file extension you can open the file in a text editor and view the password. :(
Use ZENworks to push out the following:
contents of reset.bat before being changed and stored in c:\windows\system32reset.com or c:\winnt\system32\reset.com net user administrator [password] w2k registry entries: REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):43,3a,5c,57,69,6e,6e,74,5c,53,79,73,74,65,6d,33,32,5c,53,72,\ 76,61,6e,79,2e,65,78,65,00 "DisplayName"="PWReset" "ObjectName"="LocalSystem" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Parameters] "Application"="C:\\Winnt\\System32\\reset.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Security] "Security"=hex:01,00,14,80,c0,00,00,00,cc,00,00,00,14,00,00,00,34,00,00,00,02,\ 00,20,00,01,00,00,00,02,80,18,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,20,02,00,00,02,00,8c,00,05,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,\ 00,00,00,00,01,00,00,00,00,74,00,73,00,00,00,1c,00,fd,01,02,00,01,02,00,00,\ 00,00,00,05,20,00,00,00,23,02,00,00,76,00,63,00,00,00,1c,00,ff,01,0f,00,01,\ 02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,76,00,63,00,00,00,1c,00,ff,01,\ 0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,76,00,63,00,00,00,18,\ 00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,25,02,00,00,01,01,00,00,\ 00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Enum] "0"="Root\\LEGACY_PWRESET\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 winxp registry entries: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,\ 5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,72,00,76,\ 00,61,00,6e,00,79,00,2e,00,65,00,78,00,65,00,00,00 "DisplayName"="PWReset" "ObjectName"="LocalSystem" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Enum] "0"="Root\\LEGACY_PWRESET\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Parameters] "Application"="C:\\windows\\System32\\reset.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Security] "Security"=hex:01,00,14,80,c0,00,00,00,cc,00,00,00,14,00,00,00,34,00,00,00,02,\ 00,20,00,01,00,00,00,02,80,18,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,20,02,00,00,02,00,8c,00,05,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,\ 00,00,00,00,01,00,00,00,00,74,00,73,00,00,00,1c,00,fd,01,02,00,01,02,00,00,\ 00,00,00,05,20,00,00,00,23,02,00,00,76,00,63,00,00,00,1c,00,ff,01,0f,00,01,\ 02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,76,00,63,00,00,00,1c,00,ff,01,\ 0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,76,00,63,00,00,00,18,\ 00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,25,02,00,00,01,01,00,00,\ 00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
In your article you say:
The secret is... NET USE.
You should have said:
The secret is... NET USER. (Thanks! Corrected.)
We use this trick to change the Administrator password on over 2000 WinXP and Win2k PCs on a routine basis at least once per month - more often if someone who likely knew the password (a technician or administrator) leaves our employment.
Create a simple application, associated to all users and all workstations (just to make sure).
Under the Run Options/Application tab:
- The path to file is %SystemRoot%\SYSTEM32\NET.EXE
- The parameters are USER Administrator NewPassword
- Run application once is selected
Then every month we simply edit the application to reflect our newly selected password and change the version number in the options tab. Next time ZENworks refreshes, the password is changed.
As the password needs to be in clear text, it causes an obvious security issue if users can see this command. However, if you use a workstation-associated NalApp to run a script and put the script file on the network, only the workstations need access to the script and users can't read the new password.
I like Mike Garcia's idea. We would write a PERL script and compile it so it could not be read in a text editor.
The Net User command can certainly accomplish the job from within a batch file. As one person noted, this does leave the security of the file in question. Locking access to the file down by workstation rights is one way to keep it safe. Another is to use a product such as Winbatch + Compiler which can be used to move your new password out of a readable mode.
Using a ZENworks custom policy setup in an Unsecure system context/impersonation associated via workstation objects, this can be done both silently and securely. The policy calls wscript.exe from the local workstation passing a Windows script file (.vbs) stored on a network path where only the workstation objects/containers have access and can be executed during user login.
The .vbs file contains text similar to the following. You may need to adjust for your environment.
'BEGININING OF FILE Set WshShell = WScript.CreateObject("WScript.Shell") Set WshNetwork = WScript.CreateObject("WScript.Network") strCOMPUTERNAME = WshNetwork.ComputerName Set objComputer = GetObject("WinNT://" & strCOMPUTERNAME & ",computer") 'Turns error processing on, disables error prompts in the interface and allows the script to continue On Error Resume Next ' try to connect to user object to see if account is a local user Set objUser = objComputer.GetObject("user", "EnterUserObjectNameHere") ' local user exists If Err.Number = 0 Then On Error Goto 0 objUser.SetPassword "EnterUserObjectPasswordHere" 'Set account so its not disabled objuser.accountdisabled = FALSE 'Set Password so it doesn't expire lngUF = objUser.Get("userFlags") lngUF = lngUF Or ADS_UF_DONT_EXPIRE_PASSWD objUser.Put "userFlags", lngUF 'Activate the above settings objUser.SetInfo 'local user does not exist Else On Error Goto 0 'Create account and populate account info Set objUser = objComputer.Create("user", "EnterUserObjectNameHere") objUser.SetInfo objUser.FullName = "Enter user's full name here" objUser.Description = "Enter user object's description here" objUser.SetPassword "EnterUserObjectPasswordHere" 'Set Password so it doesn't expire lngUF = objUser.Get("userFlags") lngUF = lngUF Or ADS_UF_DONT_EXPIRE_PASSWD objUser.Put "userFlags", lngUF 'Activate the above settings objUser.SetInfo 'Add account to Administrators group Set objGroup = GetObject("WinNT://" & strCOMPUTERNAME & "/Administrators,group") objGroup.Add(objUser.ADsPath) End If 'Clears any error numbers returned from above lines Err.Clear 'END OF FILE
Chicago, IL USA
Tony Pedretti's script (above) has a little error:
ADS_UF_DONT_EXPIRE_PASSWD is nowhere defined and so the line:
lngUF = lngUF Or ADS_UF_DONT_EXPIRE_PASSWD
doesn't change anything and the password still expires.
Somewhere in the beginning of the script there should be a:
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
and the script will work fine.
In regards to the discussion about setting the administrator password for a Windows machine. There are a number of utilities that will obscure the password so that it isn't in clear text.
One is chWinpw. The chWinpw executable uses an encryption key to decrypt the obscured password passed on the command line.
Here is the sample's way with a little script and ZENworks Workstation policy.
1. Create two files, fileA.bat and fileB.vbs. Put them in somewhere in server vol#.
-fileA: echo off \\serverName\Vol?\location-of-fileB.vbs(UNC) -fileB: Set objNetwork = CreateObject("Wscript.Network") 'Returning a local computer name strComputer = objNetwork.ComputerName 'Pass the local computer name to strComputer Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user") 'Change the administrator password. objUser.SetPassword "newPassword"
2. Create a Workstation Package.
-Create a Workstaion Package "HelloAdmin WK Package". Run Event:System Start Up -Under Windows XP tab(NT-2000-XP, with multi platforms), create a policy " Admin101" -Add action \\serverName\Vol?\location-of-fileA.bat(UNC); Working Directory: C:\Windows\system32; Policy Schedule: Default Package Schedule(System Start Up).
3. Associate "HelloAdmin WK Package" to target workstations.
- The location of both files should be somewhere in server volume where the workstation object has Read and File Scan rights. Do not map the user to the file location and do not make the file name too obvious (administrator password is within the vbs file). Users do not need any right to see the files.
- You must use the UNC path, because the package and policy schedule are set to System Start Up.
- It's a little bit more advanced than using Application Launch. Administrator password will be changed after the ZENworks policy services startup (computer startup) and before the user signs on.
- Drawback: if the workstation is not imported properly or not imported at all, the password will not be able to change. Also, if the workstation has trouble restarting, or users never restart workstations, the password will not be changed. In such cases, modify the script run through your subnet mask(IP).
Using a NAL app, we utilize the Pre-launch script to place a vbs script in the user's temp directory. The vbs script contains the code to change the password for the local administrator account. We rename our administrator account, but to catch any that have not been changed, I also look for the account "administrator" as well. We utilize the prelaunch script so that the new password is not located in a file anywhere on the network where someone could stumble upon it. We also use Faronics' DeepFreeze application on some of our computers, so this allows us to thaw and Freeze these machines in the process. The script that changes the password also creates a file on the hard drive that we use for a file existence availability as well as for delaying the cleanup of files until the script has completed.
We then set the application to run as unsecure system user. Set the path to wscript.exe and the parameters to "%temp%\<scriptname>.vbs" (quotes included).
Then utilize the Run After Termination script to clean up the files left behind.
Run before Launching:
set oFso = createobject("scripting.filesystemobject") set oShell = createobject("wscript.shell") '*************************************** sNewPassword = "<new password>" sChangeDate = "Nov-06" ' NOTE: DON'T FORGET TO ALTER sChangeDate IN TERMINATION SCRIPT ' ALSO DON'T FORGET TO ALTER FILE EXISTENCE IN AVAILABILTY TAB '*************************************** sPath = oShell.environment("process")("temp") & "\" '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ' Check for DF '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ForWrite = 2 sCheckDF = "cmd.exe /c " & chr(34) & sPath & "df.bat" & chr(34) '=========== Thaw if DF ============= if oFso.fileexists ("c:\progra~1\faronics\deepfr~1\instal~1\df5serv.exe") = true then set sFile = oFso.opentextfile(sPath & "df.bat", 2, true) with sFile .writeline "<path to dfc.exe> get /isfrozen" .writeline "echo %errorlevel% > " & chr(34) & sPath & "thawed.txt" & chr(34) .close end with oShell.run sCheckDF do until oFso.fileexists(sPath & "thawed.txt") wscript.sleep 500 loop wscript.sleep 500 set sFile = oFso.opentextfile(sPath & "thawed.txt", 1, true) sState = sFile.readline if sState = 1 then oShell.run "<path to dfc.exe> <df password> /BOOTTHAWED" end if sFile.close end if '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ' Create vbs to Change password '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! set sFile = oFso.opentextfile(sPath & "<script name>", 2, true) with sFile .writeline "set oFso = createobject(" & chr(34) & "scripting.filesystemobject" & chr(34) & ")" .writeline "set oShell = createobject(" & chr(34) & "wscript.shell" & chr(34) & ")" .writeline "set oNet = createobject(" & chr(34) & "wscript.network" & chr(34) & ")" .writeline "sPC = oNet.computername" .writeline "sPassword = " & chr(34) & sNewPassword & chr(34) .writeline "set oDom = getobject(" & chr(34) & "WinNT://" & chr(34) & " & sPC & " _ & chr(34) & "/Administrators" & chr(34) & ")" .writeline "" .writeline "for each user in oDom.members" .writeline " if lcase(user.name) = " & chr(34) & "<renamed admin account>" & chr(34) & " then" .writeline " user.setpassword sPassword" .writeline " else" .writeline " if lcase(user.name) = " & chr(34) & "administrator" & chr(34) & " then" .writeline " user.setpassword sPassword" .writeline " end if" .writeline " end if" .writeline "next" .writeline "if oFso.folderexists(" & chr(34) & "c:\INSREF" & chr(34) & ") = false then" .writeline " set oDir = oFso.createfolder(" & chr(34) & "c:\INSREF" & chr(34) & ")" .writeline "end if" .writeline "sPath = " & chr(34) & "c:\password - " & sChangeDate & ".txt" & chr(34) .writeline "set sDone = oFso.opentextfile(sPath, 2, true)" .writeline "sDone.close" end with sFile.close Run after Termination: set oFso = createobject("scripting.filesystemobject") set oShell = createobject("wscript.shell") set oNet = createobject("wscript.network") '*************************************** sChangeDate = "Nov-06" '*************************************** sPath = oShell.environment("process")("temp") & "\" do until oFso.fileexists("c:\password - " & sChangeDate & ".txt") = true wscript.sleep 500 loop wscript.sleep 2000 oFso.deletefile sPath & "<script name>" do until oFso.fileexists(sPath & "<script name>") = false wscript.sleep 500 loop '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Freeze if DF !!!!!!!!!!!!!!!!!!!!!!!!!!!! if oFso.fileexists ("c:\progra~1\faronics\deepfr~1\instal~1\df5serv.exe") = true then sFreeze = """<CN of DF App>.<OU>.<O>""" wscript.sleep 1000 oShell.run "NALwin32 /A=" & sFreeze end if
I used an automate script to change the password on local machines, I have included the script for anyone to use. You will need autoit, and systernals passwd.exe
I did it using the login script -- just made an executable out of the script and dropped it into everyone's login.
Made with autoit versions 3
;Date 1/25/07 ;Author:James Quinn ;Purpose:Change local administrator password on Machines ;Other notes:none ;Diretory create DirCreate("C:\pspasswd") ;Create File fileinstall("C:\pspasswd.exe", "C:\pspasswd\pspasswd.exe") ;Runas elevated user(current admin) RunAsSet("Administrator", @ComputerName, "OldPassword") RunWait ("C:\pspasswd\pspasswd.exe Administrator [newpassword]l /accepteula") ;Delete Files FileDelete("c:\pspasswd\pspasswd.exe") DirRemove("C:\pspasswd") ;remove elevated rights RunAsSet() Exit
We (also) used the net user-command to change the password of the user.
The only thing we did was create a simple ZEN-application.
We put the following command under "Distribution Options" > "Run Before Distribution"
#net user <Name of the admin account> <New Password>
example: #net user Administrator WizzKids!
To control the distribution of the new password under "Distribution Options" > "Application Files" we also distribute a little text file, called control.txt to the root of the local harddrive.
Under "Availability" > "Distribution Rules" we put the rule that the application only runs when the control.txt doesn't exist, so it does only run once, and there's a visual control on the local system.
Next we give it a Force run and under "Common" > "Reporting" we activate the logging for succesful launch and failed launch.
So after a few days we know exactly which system does have the new password.
;cdmow is a utility that hides the active DOS-screen cmdow @ /HID @echo off
- You can also use the little program sendemail.exe to send an e-mail to the administrator -- see this article. It's also handy to monitor the login/logout of a (admin) account!
- There also a little program called renuser.exe. With this tool you can rename the admin account itself, just like: renuser administrator MyLovelyAdmin
- All these tools are standard in the c:\windows\system32 folder on our systems.
Seems that everyone is agreeing on the NET USER command as the fix for this.
Don't forget that you can also use "NET" to create accounts.
Follow it up with the "net localgroup" command to add/remove those accounts from GROUPS also. This works for local accounts (non AD). If you are in a Domain then just use "net group"
Syntax for adding a user/pw
net user USERNAME PASSWORD /add
To then add the user to "administrators" group (guessing we don't want
a regular old JOE user)
net localgroup administrators USERNAME /add
- Keep Administrators from being Locked out of Machines
(Note: This article also appeared in Novell Connection magazine in the May/June 2003 issue.)
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com