| xpanmanx |
| (Starting to like KiXtart) |
| 2005-08-26 04:48 PM |
|
Change Local Admin Password Redux
|
Greetings,
Could I ask for the community's help with designing a script to change the Local Administrator Password?
Every 30 days, I would like to change each workstation's local administrator password to a random password, which would be generated at runtime. The 30-day interval would be determined by the last time the script ran successfully on the workstation. The random password would be unique to each workstation. All of the passwords would be stored in a secure location. The current password would overwrite any previous record.
I can *probably* engineer the code myself, but I'm struggling with some of the functionality...
Could such a script run as a local workstation startup script? This would be nifty for seldom-connected notebooks. Would it have the appropriate permissions to change the administrator password?
I can record each system's unique password by simply (over)writing a local text file, named for the workstation, then copy it up to a secured network share. But how to secure the local copy of that file? I thought about just burying it under @LANROOT but it would be nicer if I could script a permissions change which would deny modify to all but local administrators. Is there some way to script a permissions change?
The 30-day interval is easy - COMPAREFILETIMES between the local and network versions of the text file.
What's the risk of having domain passwords in a compiled KiXScripts Editor executeable?
Your assistance is greatly appreciated. :>
Thanks very much,
Tim ==
| Les |
| (KiX Master) |
| 2005-08-26 05:07 PM |
Re: Change Local Admin Password Redux
|
I do it with a central admin script that runs every 2 hours as a scheduled task. There is no local component. It searches the network for computers and compares all it finds with a central INI file. It is not a true 30 day interval but rather once a month depending on availability.
| Sealeopard |
| (KiX Master) |
| 2005-08-27 02:23 PM |
|
|
Re: Change Local Admin Password Redux
|
One could also check the last password changed attribute on the local admin account and deducting whether it's been 30 days. However, maintaining a centralized list will reduce network traffic tremendously as you'd only need to change those accounts which are older than 30 days.
| Les |
| (KiX Master) |
| 2005-08-27 04:35 PM |
|
Re: Change Local Admin Password Redux
|
Since I log changes to a central INI and check it instead of querying the client, I do not generate additional network traffic. The only traffic I do generate every 2 hours is an AD query of the computers within my OU to see if there are any new additions that are not in my INI file. It is only when a new computer or an existing computer that has not logged a pwd change in the current month is found that there is an attempt to ping it. I suppose if when we go to XP, I will have to make sure that I allow pings but since I have only a couple of XPs now, it is not a big deal.
As I do log "last seen", I periodically manually reconcile my AD list and my physical inventory with my INI. I do not automate this since we mothball certain computers for a while in case there is ever a need to salvage files off of it later.
| xpanmanx |
| (Starting to like KiXtart) |
| 2005-08-29 05:33 PM |
|
|
|
Re: Change Local Admin Password Redux
|
I think I've come up with a pretty good compromise that allows offline execution. I've got about 4 hours into the code and testing. When I've got it knocked out I'll post it here.