«

»

Jul 06

Remotely change local Administrator password on all domain computers

Even computer is joined with domain controller, Sysadmins are used to keep local Administrator account as a backup login account to log into the computer when domain controller is not available. However it is really important to change local Administrator password periodically to comply with company security standards.

Manually changing the local Admin password is very hard process, you can use GPOs but server 2012 and on wards this option is not available as passwords are stored on clear text without encrypting it, so in GPOs password field should be grey out if you are already checked that . If you are  using domain controller prior to server 2012 you can try GPO option methods read this for more details .However there are  lots of third party tools are available to make this process automate. Even Microsoft also introduce tool called  local administrator password solution (laps) which can be integrated with Group policies, but need to modify domain schema, however it will not discuss here, if you are interest about LAPS please follow this article of official Microsoft resource.

 

Here I’m going to shows you how to remotely change local Administrator password on all domain computers automatically without installing additional software or making no modification to domain controller. below is the our lab environment.

Domain controller :- WIndows server 2012 R2
Domain computers :- Windows 7,8,and 8.1

 

01) Get domain PCs

i) log into domain controller and open Powershell.

ii) type following command to get all client PCs managed by domain controller.

Copy output into notepad and save it as txt ex:- domainpc.txt

02) Download PSTools

Download latest tool set from here and extract it. Don’t forget to copy domainpc.txt into extract folder of PSTools.

03) Change Local Administrator password on computers

i) Open command prompt and go to extract PSTools folder.

ii) Type following command

[YOURDOMAIN] :- Active Directory domain Name
[REMOTE ADMIN ACCOUNT] :- this most probably ‘Administrator’ if you need to change other local account, specify it here
[NEW PASSWORD] :- New password for the account

ex:-

Once you enter the command it will ask Domain Administrator password, type the password and press enter if you need to get output into file, you need to append following to above command

ex:-

 

 

2 comments

  1. Rob

    Thanks for this! Two questions, will the script continue to run if a computer from the list is not powered on? How can a get a log for completed or failed computers?

    1. admin

      powered off computers will not be affected.
      it takes 10-30 seconds to apply to a single computer (simply it depends on network connectivity )

Leave Your Thought Here