Page 1 of 1 1
Topic Options
#146480 - 2005-08-26 04:48 PM Change Local Admin Password Redux
xpanmanx Offline
Starting to like KiXtart

Registered: 2002-07-08
Posts: 108
Loc: St. Louis MO USA
Greetings,

Could I ask for the community's help with designing a script to change the Local Administrator Password?

Every 30 days, I would like to change each workstation's local administrator password to a random password, which would be generated at runtime. The 30-day interval would be determined by the last time the script ran successfully on the workstation. The random password would be unique to each workstation. All of the passwords would be stored in a secure location. The current password would overwrite any previous record.

I can *probably* engineer the code myself, but I'm struggling with some of the functionality...

Could such a script run as a local workstation startup script? This would be nifty for seldom-connected notebooks. Would it have the appropriate permissions to change the administrator password?

I can record each system's unique password by simply (over)writing a local text file, named for the workstation, then copy it up to a secured network share. But how to secure the local copy of that file? I thought about just burying it under @LANROOT but it would be nicer if I could script a permissions change which would deny modify to all but local administrators. Is there some way to script a permissions change?

The 30-day interval is easy - COMPAREFILETIMES between the local and network versions of the text file.

What's the risk of having domain passwords in a compiled KiXScripts Editor executeable?

Your assistance is greatly appreciated. :>

Thanks very much,

Tim ==

Top
#146481 - 2005-08-26 05:07 PM Re: Change Local Admin Password Redux
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
I do it with a central admin script that runs every 2 hours as a scheduled task. There is no local component. It searches the network for computers and compares all it finds with a central INI file. It is not a true 30 day interval but rather once a month depending on availability.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#146482 - 2005-08-27 02:23 PM Re: Change Local Admin Password Redux
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
One could also check the last password changed attribute on the local admin account and deducting whether it's been 30 days. However, maintaining a centralized list will reduce network traffic tremendously as you'd only need to change those accounts which are older than 30 days.
_________________________
There are two types of vessels, submarines and targets.

Top
#146483 - 2005-08-27 04:35 PM Re: Change Local Admin Password Redux
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Since I log changes to a central INI and check it instead of querying the client, I do not generate additional network traffic. The only traffic I do generate every 2 hours is an AD query of the computers within my OU to see if there are any new additions that are not in my INI file. It is only when a new computer or an existing computer that has not logged a pwd change in the current month is found that there is an attempt to ping it. I suppose if when we go to XP, I will have to make sure that I allow pings but since I have only a couple of XPs now, it is not a big deal.

As I do log "last seen", I periodically manually reconcile my AD list and my physical inventory with my INI. I do not automate this since we mothball certain computers for a while in case there is ever a need to salvage files off of it later.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#146484 - 2005-08-29 05:33 PM Re: Change Local Admin Password Redux
xpanmanx Offline
Starting to like KiXtart

Registered: 2002-07-08
Posts: 108
Loc: St. Louis MO USA
I think I've come up with a pretty good compromise that allows offline execution. I've got about 4 hours into the code and testing. When I've got it knocked out I'll post it here.
Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
2 registered (morganw, mole) and 415 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.189 seconds in which 0.144 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org