Novell Home

Changing Local Administrator Password on Win2000/XP machines

Novell Cool Solutions: Tip

Digg This - Slashdot This

Updated: 14 Feb 2007
 

Larry B. wrote: I have a small network of about 70 W2K and XP machines. They are in a Workgroup and not in an NT or AD domain. We recently had a person who was terminated and the question was did he know the local admin account password. Luckily he didn't, but I then wondered if there is a way with in ZENworks (I have ZENworks 4.01 and N/W 6.0 SP4) that I can change the Local Administrator's password so I don't have to personally visit each machine. If so, can you give some examples? Thanks.

The secret is... NET USER.

This site, http://www.ithowto.com/zenworks/netmgt.htm, has a very good example of how this command can be, um... used.

Anyone out there got any other suggestions? Fire when ready.

Suggestions

James Fraser

I created a workstation policy package for all our student stations that runs "net user username password /active" on system startup. This package is associated to all some of our student stations to activate and set a password on an account or image that is by default inactive. Works like a charm.

Gilles Normandeau

Here is a script we ran in the "Run After Distribution" area of a simple NAL object:

net user <userID> <newPassword> 
echo <UserID> password was reset on %DATE% at %TIME% >>C:\Support\Applications.txt 

The "Script Engine Location" is %*WinSysDir%\cmd.exe /c

The second line of the script is our way of documenting locally when a NAL object was run on a workstation.

The object is set to "Run as secure system user" in the Run Options tab and is associated with all workstations with the "Force Run" option checked off.

Matthew Pierce

What we did was create a batch file with $echo off and added in the net use command. Then we created an Application object and pushed it out as secure system user. We do this about once every 3-6 months just for security's sake. Was very simple and user never knew anything was going on.

Another suggestions is this:

Get the Windows 2000 Resource kit, and grab the file cusrmgr.exe. This file is the easiest to use. I'm not sure if it works on XP (it might though as W2k and XP aren't that much different for this kind of thing.) But then you can make a batch file and then add it to a ZENworks App Object.

The batch file should probably look something like this:

@echo off
cusrmgr.exe -u administrator -P [yourpasswordhere] (Without the brackets of course)

Then select the workstations or users you want to push it out to, add the app object to it/them and there you go. Works like a champ.

Or.... SysInternals.com has a product called PsPasswd that will do this in a batch file.

Paul Pedron

I have a ZENworks distribution that changes the Admin Password on the local box. This shows how to leverage ZENworks components.

New Simple Application Object called "ChngPass"
Identification | Icon
Uncheck - Show progress (if you want to deploy in stealth mode)

Distribution Options | Options
Check - Distribute Always
Reboot - Never

Run Options | Application;
Path to file - %*WINSYSDIR%\NET.exe
Parameters - USER Administrator <password>
(substitute <password> w/password to be changed to.)
Check - Force run as user if application is workstation associated

Run Options | Environment
Executable security level - Run as secure system user
(this will run as system rights)

Availability | Distribution Rules
Add OS - OS version 2000/XP

Mike Garcia

We use bat2exec, by Doug Boling (available for free download all over the web, including this site) to compile our net use batch file and call it "reset.com" or something more ambiguous. Then we load the .com as a service "pwreset" or something more ambiguous with srvany.exe "Microsoft" and some registry entries.

The nice thing about this is that to change the passwords on your PCs you just push out a modifed reset.com to the PCs and you changed the administrator password. Also, if some clown changes the administrator password, as soon as the PC is rebooted the password is changed back to whatever is set in the "pwreset" service.

The only drawback is that the reset.com file can only be hidden but is not secure. If you change the file extension you can open the file in a text editor and view the password. :(

Use ZENworks to push out the following:

contents of reset.bat before being changed and stored in c:\windows\system32reset.com or c:\winnt\system32\reset.com
net user administrator [password]
 
w2k registry entries:
REGEDIT4
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,3a,5c,57,69,6e,6e,74,5c,53,79,73,74,65,6d,33,32,5c,53,72,\
  76,61,6e,79,2e,65,78,65,00
"DisplayName"="PWReset"
"ObjectName"="LocalSystem"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Parameters]
"Application"="C:\\Winnt\\System32\\reset.com"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Security]
"Security"=hex:01,00,14,80,c0,00,00,00,cc,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,80,18,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,20,02,00,00,02,00,8c,00,05,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,\
  00,00,00,00,01,00,00,00,00,74,00,73,00,00,00,1c,00,fd,01,02,00,01,02,00,00,\
  00,00,00,05,20,00,00,00,23,02,00,00,76,00,63,00,00,00,1c,00,ff,01,0f,00,01,\
  02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,76,00,63,00,00,00,1c,00,ff,01,\
  0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,76,00,63,00,00,00,18,\
  00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,25,02,00,00,01,01,00,00,\
  00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Enum]
"0"="Root\\LEGACY_PWRESET\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
 
winxp registry entries:
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,\
  5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,72,00,76,\
  00,61,00,6e,00,79,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="PWReset"
"ObjectName"="LocalSystem"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Enum]
"0"="Root\\LEGACY_PWRESET\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Parameters]
"Application"="C:\\windows\\System32\\reset.com"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PWReset\Security]
"Security"=hex:01,00,14,80,c0,00,00,00,cc,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,80,18,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,20,02,00,00,02,00,8c,00,05,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,\
  00,00,00,00,01,00,00,00,00,74,00,73,00,00,00,1c,00,fd,01,02,00,01,02,00,00,\
  00,00,00,05,20,00,00,00,23,02,00,00,76,00,63,00,00,00,1c,00,ff,01,0f,00,01,\
  02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,76,00,63,00,00,00,1c,00,ff,01,\
  0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,76,00,63,00,00,00,18,\
  00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,25,02,00,00,01,01,00,00,\
  00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

David M. Lange

In your article you say:
The secret is... NET USE.

You should have said:
The secret is... NET USER. (Thanks! Corrected.)

We use this trick to change the Administrator password on over 2000 WinXP and Win2k PCs on a routine basis at least once per month - more often if someone who likely knew the password (a technician or administrator) leaves our employment.

Create a simple application, associated to all users and all workstations (just to make sure).

Under the Run Options/Application tab:

  • The path to file is %SystemRoot%\SYSTEM32\NET.EXE
  • The parameters are USER Administrator NewPassword
  • Run application once is selected

Then every month we simply edit the application to reflect our newly selected password and change the version number in the options tab. Next time ZENworks refreshes, the password is changed.

Kris Smith

As the password needs to be in clear text, it causes an obvious security issue if users can see this command. However, if you use a workstation-associated NalApp to run a script and put the script file on the network, only the workstations need access to the script and users can't read the new password.

Joseph Sears

I like Mike Garcia's idea. We would write a PERL script and compile it so it could not be read in a text editor.

David Hamel

The Net User command can certainly accomplish the job from within a batch file. As one person noted, this does leave the security of the file in question. Locking access to the file down by workstation rights is one way to keep it safe. Another is to use a product such as Winbatch + Compiler which can be used to move your new password out of a readable mode.

Tony Pedretti

Using a ZENworks custom policy setup in an Unsecure system context/impersonation associated via workstation objects, this can be done both silently and securely. The policy calls wscript.exe from the local workstation passing a Windows script file (.vbs) stored on a network path where only the workstation objects/containers have access and can be executed during user login.

The .vbs file contains text similar to the following. You may need to adjust for your environment.

'BEGININING OF FILE

Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshNetwork = WScript.CreateObject("WScript.Network")

strCOMPUTERNAME = WshNetwork.ComputerName
Set objComputer = GetObject("WinNT://" & strCOMPUTERNAME & ",computer")

'Turns error processing on, disables error prompts in the interface and
allows the script to continue
On Error Resume Next

' try to connect to user object to see if account is a local user
Set objUser = objComputer.GetObject("user", "EnterUserObjectNameHere")

' local user exists
If Err.Number = 0 Then
	On Error Goto 0

	objUser.SetPassword "EnterUserObjectPasswordHere"

	'Set account so its not disabled
	objuser.accountdisabled = FALSE

	'Set Password so it doesn't expire
	lngUF = objUser.Get("userFlags")
	lngUF = lngUF Or ADS_UF_DONT_EXPIRE_PASSWD
	objUser.Put "userFlags", lngUF

	'Activate the above settings
	objUser.SetInfo

'local user does not exist
Else
	On Error Goto 0

	'Create account and populate account info
	Set objUser = objComputer.Create("user", "EnterUserObjectNameHere")
	objUser.SetInfo
	objUser.FullName = "Enter user's full name here"
	objUser.Description = "Enter user object's description here"
	objUser.SetPassword "EnterUserObjectPasswordHere"

	'Set Password so it doesn't expire
	lngUF = objUser.Get("userFlags")
	lngUF = lngUF Or ADS_UF_DONT_EXPIRE_PASSWD
	objUser.Put "userFlags", lngUF

	'Activate the above settings
	objUser.SetInfo

	'Add account to Administrators group
	Set objGroup = GetObject("WinNT://" & strCOMPUTERNAME & 
"/Administrators,group")
	objGroup.Add(objUser.ADsPath)
End If

'Clears any error numbers returned from above lines
Err.Clear

'END OF FILE

Tony Pedretti
LAN Engineer
Chicago, IL USA

Klaus Arpe

Tony Pedretti's script (above) has a little error:

ADS_UF_DONT_EXPIRE_PASSWD is nowhere defined and so the line:
lngUF = lngUF Or ADS_UF_DONT_EXPIRE_PASSWD
doesn't change anything and the password still expires.

Somewhere in the beginning of the script there should be a:
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
and the script will work fine.

John Klein

In regards to the discussion about setting the administrator password for a Windows machine. There are a number of utilities that will obscure the password so that it isn't in clear text.

One is chWinpw. The chWinpw executable uses an encryption key to decrypt the obscured password passed on the command line.

Eric Ho

Here is the sample's way with a little script and ZENworks Workstation policy.

1. Create two files, fileA.bat and fileB.vbs. Put them in somewhere in server vol#.

-fileA:
echo off 
\\serverName\Vol?\location-of-fileB.vbs(UNC)

-fileB:
Set objNetwork = CreateObject("Wscript.Network")
'Returning a local computer name
strComputer = objNetwork.ComputerName
'Pass the local computer name to strComputer
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")
'Change the administrator password.  
objUser.SetPassword "newPassword"

2. Create a Workstation Package.

-Create a Workstaion Package "HelloAdmin WK Package".  Run Event:System Start Up
-Under Windows XP tab(NT-2000-XP, with multi platforms), create a policy " Admin101"
-Add action \\serverName\Vol?\location-of-fileA.bat(UNC); Working Directory: C:\Windows\system32; Policy Schedule: Default Package Schedule(System Start Up).

3. Associate "HelloAdmin WK Package" to target workstations.

Mission completed.

Remarks:

  • The location of both files should be somewhere in server volume where the workstation object has Read and File Scan rights. Do not map the user to the file location and do not make the file name too obvious (administrator password is within the vbs file). Users do not need any right to see the files.
  • You must use the UNC path, because the package and policy schedule are set to System Start Up.
  • It's a little bit more advanced than using Application Launch. Administrator password will be changed after the ZENworks policy services startup (computer startup) and before the user signs on.
  • Drawback: if the workstation is not imported properly or not imported at all, the password will not be able to change. Also, if the workstation has trouble restarting, or users never restart workstations, the password will not be changed. In such cases, modify the script run through your subnet mask(IP).

Chris Graham

Using a NAL app, we utilize the Pre-launch script to place a vbs script in the user's temp directory. The vbs script contains the code to change the password for the local administrator account. We rename our administrator account, but to catch any that have not been changed, I also look for the account "administrator" as well. We utilize the prelaunch script so that the new password is not located in a file anywhere on the network where someone could stumble upon it. We also use Faronics' DeepFreeze application on some of our computers, so this allows us to thaw and Freeze these machines in the process. The script that changes the password also creates a file on the hard drive that we use for a file existence availability as well as for delaying the cleanup of files until the script has completed.

We then set the application to run as unsecure system user. Set the path to wscript.exe and the parameters to "%temp%\<scriptname>.vbs" (quotes included).

Then utilize the Run After Termination script to clean up the files left behind.

Run before Launching:

set oFso = createobject("scripting.filesystemobject")
set oShell = createobject("wscript.shell")

'***************************************

sNewPassword = "<new password>"

sChangeDate = "Nov-06"
        ' NOTE: DON'T FORGET TO ALTER sChangeDate IN TERMINATION
SCRIPT
        ' ALSO DON'T FORGET TO ALTER FILE EXISTENCE IN AVAILABILTY TAB

'***************************************

sPath = oShell.environment("process")("temp") & "\"

'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

'   Check for DF

'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ForWrite = 2
sCheckDF = "cmd.exe /c " & chr(34) & sPath & "df.bat" & chr(34)

'=========== Thaw if DF =============

if oFso.fileexists
("c:\progra~1\faronics\deepfr~1\instal~1\df5serv.exe") = true then
   set sFile = oFso.opentextfile(sPath & "df.bat", 2, true)
   with sFile
      .writeline "<path to dfc.exe> get /isfrozen"
      .writeline "echo %errorlevel% > " & chr(34) & sPath &
"thawed.txt" & chr(34)
      .close
   end with
   
   oShell.run sCheckDF
      
   do until oFso.fileexists(sPath & "thawed.txt")
      wscript.sleep 500
   loop
   wscript.sleep 500
   
   set sFile = oFso.opentextfile(sPath & "thawed.txt", 1, true)
   sState = sFile.readline
   if sState = 1 then
      oShell.run "<path to dfc.exe> <df password> /BOOTTHAWED"
   end if
   sFile.close 

end if

'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

' Create vbs to Change password

'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

set sFile = oFso.opentextfile(sPath & "<script name>", 2, true)

with sFile
   .writeline "set oFso = createobject(" & chr(34) &
"scripting.filesystemobject" & chr(34) & ")"
   .writeline "set oShell = createobject(" & chr(34) & "wscript.shell"
& chr(34) & ")"
   .writeline "set oNet = createobject(" & chr(34) & "wscript.network"
& chr(34) & ")"
   .writeline "sPC = oNet.computername"
   .writeline "sPassword = " & chr(34) & sNewPassword & chr(34)
   .writeline "set oDom = getobject(" & chr(34) & "WinNT://" & chr(34)
& " & sPC & " _
      & chr(34) & "/Administrators" & chr(34) & ")"
   .writeline ""
   .writeline "for each user in oDom.members"
   .writeline "   if lcase(user.name) = " & chr(34) & "<renamed admin
account>" & chr(34) & " then"
   .writeline "      user.setpassword sPassword"
   .writeline "   else"
   .writeline "      if lcase(user.name) = " & chr(34) &
"administrator" & chr(34) & " then"
   .writeline "         user.setpassword sPassword"
   .writeline "      end if"
   .writeline "   end if"
   .writeline "next"
   .writeline "if oFso.folderexists(" & chr(34) & "c:\INSREF" & chr(34)
& ") = false then"
   .writeline "   set oDir = oFso.createfolder(" & chr(34) &
"c:\INSREF" & chr(34) & ")"
   .writeline "end if"
   .writeline "sPath = " & chr(34) & "c:\password - " & sChangeDate &
".txt" & chr(34)
   .writeline "set sDone = oFso.opentextfile(sPath, 2, true)"
   .writeline "sDone.close"
end with

sFile.close

Run after Termination:

set oFso = createobject("scripting.filesystemobject")
set oShell = createobject("wscript.shell")
set oNet = createobject("wscript.network")

'***************************************
sChangeDate = "Nov-06"
'***************************************

sPath = oShell.environment("process")("temp") & "\" 

do until oFso.fileexists("c:\password - " & sChangeDate & ".txt") =
true
   wscript.sleep 500
loop

wscript.sleep 2000
oFso.deletefile sPath & "<script name>"


do until oFso.fileexists(sPath & "<script name>") = false
   wscript.sleep 500
loop


'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!    Freeze if DF 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!
if oFso.fileexists
("c:\progra~1\faronics\deepfr~1\instal~1\df5serv.exe") = true then
   sFreeze = """<CN of DF App>.<OU>.<O>"""
   wscript.sleep 1000
   oShell.run "NALwin32 /A=" & sFreeze
end if

James Quinn

I used an automate script to change the password on local machines, I have included the script for anyone to use. You will need autoit, and systernals passwd.exe

I did it using the login script -- just made an executable out of the script and dropped it into everyone's login.

Made with autoit versions 3

;Date 1/25/07
;Author:James Quinn
;Purpose:Change local administrator password on Machines
;Other notes:none

;Diretory create
DirCreate("C:\pspasswd")

;Create File
fileinstall("C:\pspasswd.exe", "C:\pspasswd\pspasswd.exe")

;Runas elevated user(current admin)
RunAsSet("Administrator", @ComputerName, "OldPassword")
RunWait ("C:\pspasswd\pspasswd.exe Administrator [newpassword]l /accepteula")
 
;Delete Files
FileDelete("c:\pspasswd\pspasswd.exe")
DirRemove("C:\pspasswd")

;remove elevated rights
RunAsSet()
 
Exit

A.J.Snijder

We (also) used the net user-command to change the password of the user.

The only thing we did was create a simple ZEN-application.

We put the following command under "Distribution Options" > "Run Before Distribution"
#net user <Name of the admin account> <New Password>
example: #net user Administrator WizzKids!

To control the distribution of the new password under "Distribution Options" > "Application Files" we also distribute a little text file, called control.txt to the root of the local harddrive.

Under "Availability" > "Distribution Rules" we put the rule that the application only runs when the control.txt doesn't exist, so it does only run once, and there's a visual control on the local system.

Next we give it a Force run and under "Common" > "Reporting" we activate the logging for succesful launch and failed launch.

So after a few days we know exactly which system does have the new password.

Some tips:

  • If you want it more secure you can write a batch-script and download from http://www.commandline.co.uk/cmdow/ the little program cmdow.exe.When you use it in the top of the script the output will be verbose, just like:
    ;cdmow is a utility that hides the active DOS-screen 
    
    cmdow @ /HID
    
    @echo off
    • You can also use the little program sendemail.exe to send an e-mail to the administrator -- see this article. It's also handy to monitor the login/logout of a (admin) account!
    • There also a little program called renuser.exe. With this tool you can rename the admin account itself, just like: renuser administrator MyLovelyAdmin
    • All these tools are standard in the c:\windows\system32 folder on our systems.

    Christopher Farkas

    Seems that everyone is agreeing on the NET USER command as the fix for this.

    Don't forget that you can also use "NET" to create accounts.

    Follow it up with the "net localgroup" command to add/remove those accounts from GROUPS also. This works for local accounts (non AD). If you are in a Domain then just use "net group"

    Syntax for adding a user/pw
    net user USERNAME PASSWORD /add

    To then add the user to "administrators" group (guessing we don't want a regular old JOE user)
    net localgroup administrators USERNAME /add

    See Also


    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

    © 2014 Novell