Even computer is joined with domain controller, Sysadmins are used to keep local Administrator account as a backup login account to log into the computer when domain controller is not available. However it is really important to change local Administrator password periodically to comply with company security standards.
Manually changing the local Admin password is very hard process, you can use GPOs but server 2012 and on wards this option is not available as passwords are stored on clear text without encrypting it, so in GPOs password field should be grey out if you are already checked that . If you are using domain controller prior to server 2012 you can try GPO option methods read this for more details .However there are lots of third party tools are available to make this process automate. Even Microsoft also introduce tool called local administrator password solution (laps) which can be integrated with Group policies, but need to modify domain schema, however it will not discuss here, if you are interest about LAPS please follow this article of official Microsoft resource.
Here I’m going to shows you how to remotely change local Administrator password on all domain computers automatically without installing additional software or making no modification to domain controller. below is the our lab environment.
Domain controller :- WIndows server 2012 R2
Domain computers :- Windows 7,8,and 8.1
01) Get domain PCs
i) log into domain controller and open Powershell.
ii) type following command to get all client PCs managed by domain controller.
1 |
Get-ADComputer -Filter * | Select -Expand Name |
Copy output into notepad and save it as txt ex:- domainpc.txt
02) Download PSTools
Download latest tool set from here and extract it. Don’t forget to copy domainpc.txt into extract folder of PSTools.
03) Change Local Administrator password on computers
i) Open command prompt and go to extract PSTools folder.
ii) Type following command
1 |
pspasswd @domainpc.txt -u [YOURDOMAIN]\Administrator [REMOTE ADMIN ACCOUNT] [NEW PASSWORD] |
[YOURDOMAIN] :- Active Directory domain Name
[REMOTE ADMIN ACCOUNT] :- this most probably ‘Administrator’ if you need to change other local account, specify it here
[NEW PASSWORD] :- New password for the account
ex:-
1 |
pspasswd @domainpc.txt -u testdomain\Administrator Administrator NeWPA$$wo6 |
Once you enter the command it will ask Domain Administrator password, type the password and press enter if you need to get output into file, you need to append following to above command
1 |
1>output.txt 2>&1 |
ex:-
1 |
pspasswd @domainpc.txt -u testdomain\Administrator Administrator NeWPA$$wo6 1>output.txt 2>&1 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
pspasswd parameters and available options:- PsPasswd changes passwords on a local or remote system. Usage for local accounts: pspasswd [\\[computer[,computer,[,...]]|@file] [-u Username [-p Password]]] <A ccount> [NewPassword] Usage for domain accounts: pspasswd <Domain\Account> [NewPassword] computer Computer or computers on which the local account exists. If you omit the computer name, the local computer is assumed. If you specify a wildcard (\\*), PsPasswd runs the command on all computers in the current domain or workgroup. @file PsPasswd will change the password on the computers listed in the file. -u Specifies optional user name for login to remote computer. -p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. -nobanner Do not display the startup banner and copyright message. Domain Specifies name of the domain of the target account. Account Specifies name of the account for password change. NewPassword New password. If omitted a NULL password is applied. |
6 comments
Skip to comment form ↓
Rob
November 30, 2016 at 10:44 pm (UTC 5.5) Link to this comment
Thanks for this! Two questions, will the script continue to run if a computer from the list is not powered on? How can a get a log for completed or failed computers?
admin
December 5, 2016 at 2:50 pm (UTC 5.5) Link to this comment
powered off computers will not be affected.
it takes 10-30 seconds to apply to a single computer (simply it depends on network connectivity )
Casey
December 21, 2016 at 1:27 am (UTC 5.5) Link to this comment
How secure is this method? Is there some sort of encryption when doing this? Who can see the password when I send this command?
admin
December 22, 2016 at 3:56 pm (UTC 5.5) Link to this comment
it’s not encrypted at all. This method is simple, but if you have concern about security, you can try Local Administrator Password Solution (LAPS)
(https://www.microsoft.com/en-us/download/details.aspx?id=46899)
Ken
January 14, 2019 at 11:06 pm (UTC 5.5) Link to this comment
Nonsense. It does not send passwords in cleartext. LAPS is preferred, but pspasswd works if can’t implement LAPS. I’m only replying to this old thread because it’s not accurate and may dissuade people from using pspasswd for the wrong reasons.
Mahmoud ElSlamony
April 29, 2020 at 2:20 am (UTC 5.5) Link to this comment
Really, i applied the above steps to change the local administrator password of all domain computers, through login to local administrator account of domain computer not through domain controller, it changed successfully for all domain computers, i wondered how the local administrator of any domain computer can change local administrators password of other computers.