“Yeah, Hi Ed, it’s your boss. Seems John from the helpdesk just quit, and since he knows the local admin password for every workstation in the domain, I’m going to need you to change those. So if you could just go ahead and take care of that now, that would be terrific, OK? Oh, and I almost forgot. Ahh, I’m also gonna need you to go ahead and come in on Sunday, too…”
Okay, show of hands. How many of you have ever had an employee separation event dropped in your lap at the end of the day, with the expectation that you will not so much as go to the restroom until every conceivable hole is plugged? In my experience, IT guys who leave tend to go to the bar to celebrate, not to some dank and dim basement so that they can tunnel back in through the secret back door they left in order to wreak havoc on their former employer’s systems.
However, it is better to be safe than sorry, and this little trick can be used just as easily on those quarterly scheduled password changes as it can for those emergency situations. What we are going to do here is script changing the local administrator account password on a list of machines. These can be workstations, servers, or both. We just need to put together three little pieces to get it done.
The text file
Create a text file named servers.txt, with one computer name per line. You can export the list from ADUC, or do a dsquery to get the list, or you can just compile it by hand. I like exporting from ADUC since it creates a nice basic text file, one computer per line, and I usually need to do this against an entire OU at a time.
Save that file to a directory you can find easily.
The net command
The net command can be used to do a lot of things. We’ve talked about that before here. This time, we are going to use the net command to change the administrator account’s password. That syntax is
net user administrator password [enter]
Where you would substitute a complex password for the italics above. We don’t want to do this just yet, but we will build on this below.
The psexec command
The psexec command is part of the suite of PsTools from Microsoft and Sysinternals. It allows you (with administrative rights of course) to issue a command on one machine, have it execute that command on another, and then return the standard output to the first machine. It’s kind of like rexec but with actual authentication instead of just an .rhosts file. However, much like rexec, it does execute these command in clear text. While your authentication is protected by NTLM, any commands you execute, and the resulting stdout, will show in clear text should someone be running WireShark. Changing the local password this way will reveal that password to anyone running WireShark if they happen to pick up your traffic. If that is considered too high a risk, don’t do this. If you are cool with that, download the PsTools and install them, which is really just extracting them and putting them into your path.
Putting it all together
With our text file in place and psexec installed, we just need to execute a simple command. So we can reuse this, and reduce the number of typos, we’ll save the syntax into a simple cmd file called ChangeAdminPwd.cmd. If you want to do this from the cmd line instead of a batch file, remember to use only one % sign instead of the two we need in a batch file. Assuming we want to set our local administrator password to be “FooB@r123” we do this
for /f %%G in (servers.txt) do psexec \\%%G net user administrator FooB@r123
and save it in the same directory as our servers.txt file. As long as you execute your ChangeAdminPwd.cmd from the same directory that servers.txt is in, and you have PsExec in your path, this will rip through the file, connecting to each machine one at a time, change the local administrator account’s password using the net user syntax, and then move on to the next. It’s much faster than logging on to each machine one at a time, and much cheaper than buying Hyena. It’s also a cheap trick, and you do have to be comfortable with putting the new password in a text file and sending the commands using PSEXEC, but it get’s the job done in a hurry. If you are storing the text file securely, or better still, removing the password after you run it, and are cool with the cleartext aspect, this will take care of business.
And speaking of Cheap Trick, here’s one of their early hits, "The Dream Police."
Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=7yRRqxJHQmA&feature=av2n
If you found this post useful, please consider following us on twitter. You’ll be the first to learn about new posts, and, rarely, we’ll share a comedic or witty tweet. Of course, you can also leave a comment below (anonymous allowed) to let us know we hooked you up.
You might also enjoy:
