With the stricter security requirements that many of my customers have been facing lately, the question about how to change the local administrator password on 10’s, 100’s, or even 1000’s of windows machines has come up several times recently. With the introduction of Group Policy Preferences, this has become a very easy task. Here are some instructions on how to accomplish this with a minimum amount of work on the part of the administrator.
NOTES: These procedures involve making changes to group policies. Thorough testing should always be performed in a lab environment prior to making any changes to group policy in a production environment. Also, GPP’s are not supported in Windows 2000, so these procedures are only useful on XP SP2 and later operating systems.
1. Ensure that the managed clients have the update installed to support group policy preferences. These updates are on Windows Update and can also be found here: http://support.microsoft.com/?kbid=943729
2. On either a Windows Server 2008 server, or on a Vista SP1 client, enable the RSAT (Remote Server Administration) tools. On Vista SP1, they must be installed first, whereas on Server 2008 they only need to be enabled. After installing, enable them by using the Turn On Features option in the Programs and Features applet in the control panel. The RSAT tools can be downloaded here: http://support.microsoft.com/?kbid=941314 Note that just installing the update will not add anything to the Administrative Tools menu. You must also turn the feature on:
Tip: In most open windows in Vista and later operating systems, there is a search box in the upper right hand corner. If you’re not sure how or where to configure a setting, type in a keyword in the search box. In Control Panel, for example, type in something like “screensaver” (without the quotes). You will instantly see relevant settings displayed to help you modify your screensaver. You can save yourself tons of time when looking for features and settings by using this handy search capability.
3. Using the GPMC tool on either Windows Server 2008 or on the Vista SP1 machine with RSAT, note the new Preferences section when editing a group policy:
4. Under Computer Configuration, expand Preferences, Control Panel Settings, and then right-click on Local Users and Groups. Choose New, Local User:
5. Leave the Action drop-down set to Update. From the drop down box for User Name, select Administrator (built-in). Type in a password to reset the password for this account. NOTE: You MUST type in a new password for this step to work. If you do not, the changes will not be made. Optional: UNCHECK the box for Password Never Expires. The end result of these settings will be to have an expiring local password for the built-in admin account, and for the password to be changed to the new value.
You can also use this section to perform other changes, such as renaming the Administrator account or modifying other local accounts.
6. Note the additional settings available via the Common tab:
There is also a good whitepaper on this topic located here. This whitepaper covers GPP’s in more detail, along with their many capabilities.
NOTE: When using Group Policy Preferences, keep in mind that the stored password is obfuscated. From a security standpoint, it would be best to use this procedure to change the password using a separate group policy. Then, once finished, delete the group policy so that the stored password (although obfuscated) is also deleted.
Read the complete @> Jim Ratsch’s Technical Ramblings : How to change the password for the local administrator account on multiple machines (the easy way without scripting)