Change local admin password via GPO

12,481

Solution 1

Add this a logon script select Powershell, remember administrator account remains disabled we need to active it added at last line of script.

$computer=$env:computername
$user = "administrator"
$Password = "password"
$user = [adsi]"WinNT://$computer/$user,user"
$user.SetPassword($Password)
net user administrator /active:yes

Solution 2

you could replace that with LAPS

Solution 3

If you're willing to use a script rather than group policy, it shouldn't take two pages. Since I have scripts lying around anyway for a different purpose that could be altered, I'd probably do something like:

Get a list of computers (will probably need tweaking for your environment, both for the OU and for the limit):

dsquery computer ou=sbscomputers,ou=computers,ou=mybusiness,dc=mydomain,dc=local -o rdn -limit 500  > control.txt

SetLocal EnableDelayedExpansion

FOR /F %%L IN (control.txt) DO (
    set line=%%L
    echo !line!
    set line=!line:"=!
    echo !line!
    echo !line! >> process.txt
)

sort < process.txt > sorted.txt

del process.txt
move sorted.txt control.txt

You can then do something like:

$computers = Get-Content -Path c:\path\to\control.txt
$user = "administrator"
$Password = "password"
Foreach($computer in $computers) {
    $user = [adsi]"WinNT://$computer/$user,user"
    $user.SetPassword($Password)
    $user.SetInfo()
    echo "Password reset on $computer"
}

It would be better still to save the password as a secure string. This article has useful instructions for that. If you don't, you probably want to edit the password out of the second script after running it.

12,481

Nathan.Eilisha Shiraini

Updated on September 18, 2022

Comments

Nathan.Eilisha Shiraini over 1 year

I have deployed an Active Directory in a small company. Each and every user is trusted with local admin privileges on his computer with his domain account.

However, in case the users can't log on to their computer, I need to have local Admin accounts enabled and with a password. Trouble is, because password change via GPOs has been removed I can't use it to change admin password.

This removal is due to a security flaw, which is irrelevant because users are local admins.

What I need is an easy way to activate and change builtin admin accounts' password, via GPO, without the trouble of a two-pages long script (I know there's one). The password should be the same for everyone and never change.
Katherine Villyard almost 8 years

Since startup scripts are stored in \\domaincontroller\sysvol\domainname\Policies\{PolicyGUID}\U‌ser\Scripts` and %systemroot%\system32\grouppolicy` on the local machine, you might want to save the password as a secure string. I know I'm one to talk since mine had that cleartext as well, but it wasn't stored on shares or the actual workstations.
Eric almost 8 years

LAPS doesn't meet the requirements, but is a better solution. Having the same admin password across the org means if any computer is compromised, they all can be. Also keep in mind Windows caches ad password, so even if the domain controller is inaccessible, so long as a user has logged in recently they will still be able to.
Brian D. over 5 years

Your second example does not work with multiple PCs because you are changing the user variable inside the loop. Once you change one of them it does work correctly.