Even computer is joined with domain controller, Sysadmins are used to keep local Administrator account as a backup login account to log into the computer when domain controller is not available. However it is really important to change local Administrator password periodically to comply with company security standards.
Manually changing the local Admin password is very hard process, you can use GPOs but server 2012 and on wards this option is not available as passwords are stored on clear text without encrypting it, so in GPOs password field should be grey out if you are already checked that . If you are using domain controller prior to server 2012 you can try GPO option methods read this for more details .However there are lots of third party tools are available to make this process automate. Even Microsoft also introduce tool called local administrator password solution (laps) which can be integrated with Group policies, but need to modify domain schema, however it will not discuss here, if you are interest about LAPS please follow this article of official Microsoft resource.
Here I’m going to shows you how to remotely change local Administrator password on all domain computers automatically without installing additional software or making no modification to domain controller. below is the our lab environment.
Domain controller :- WIndows server 2012 R2
Domain computers :- Windows 7,8,and 8.1
01) Get domain PCs
i) log into domain controller and open Powershell.
ii) type following command to get all client PCs managed by domain controller.
Get-ADComputer -Filter * | Select -Expand Name
Copy output into notepad and save it as txt ex:- domainpc.txt
02) Download PSTools
Download latest tool set from here and extract it. Don’t forget to copy domainpc.txt into extract folder of PSTools.
03) Change Local Administrator password on computers
i) Open command prompt and go to extract PSTools folder.
ii) Type following command
pspasswd @domainpc.txt -u [YOURDOMAIN]\Administrator [REMOTE ADMIN ACCOUNT] [NEW PASSWORD]
[YOURDOMAIN] :- Active Directory domain Name
[REMOTE ADMIN ACCOUNT] :- this most probably ‘Administrator’ if you need to change other local account, specify it here
[NEW PASSWORD] :- New password for the account
pspasswd @domainpc.txt -u testdomain\Administrator Administrator NeWPA$$wo6
Once you enter the command it will ask Domain Administrator password, type the password and press enter if you need to get output into file, you need to append following to above command
pspasswd @domainpc.txt -u testdomain\Administrator Administrator NeWPA$$wo6 1>output.txt 2>&1
pspasswd parameters and available options:-
PsPasswd changes passwords on a local or remote system.
Usage for local accounts:
pspasswd [\\[computer[,computer,[,...]]|@file] [-u Username [-p Password]]] <A
Usage for domain accounts:
pspasswd <Domain\Account> [NewPassword]
computer Computer or computers on which the local account exists. If
you omit the computer name, the local computer is assumed.
If you specify a wildcard (\\*), PsPasswd runs the
command on all computers in the current domain or workgroup.
@file PsPasswd will change the password on the computers listed
in the file.
-u Specifies optional user name for login to remote computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
-nobanner Do not display the startup banner and copyright message.
Domain Specifies name of the domain of the target account.
Account Specifies name of the account for password change.
NewPassword New password. If omitted a NULL password is applied.