Jump to content

password change

Guest Vishal

By Guest Vishal
in Windows 2003 Server

 Share

Recommended Posts

Guest Vishal

Guest Vishal

Posted
Posted

Hi,

 

I want to change the password of windows xp pc's on a windows 2003 domain

using group policy, logon scripts on something similar.

 

How do I do that?

 

However, I dont want to change the password on windows 2003 servers.

 

thanks

  • Replies 8
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Edwin vMierlo [MVP]

Guest Edwin vMierlo [MVP]

Posted
Posted

Re: password change

 

> I want to change the password of windows xp pc's on a windows 2003 domain

> using group policy, logon scripts on something similar.

 

"XP PC's" do not have passwords, users do in a domain (or user on a local

host do)

 

Please explain in more detail what you like to do

 

rgds,

Edwin.

Guest Richard Mueller [MVP]

Guest Richard Mueller [MVP]

Posted
Posted

Re: password change

 

 

"Edwin vMierlo [MVP]" <EdwinvMierlo@discussions.microsoft.com> wrote in

message news:%239srO4wyIHA.4704@TK2MSFTNGP03.phx.gbl...

>

>> I want to change the password of windows xp pc's on a windows 2003 domain

>> using group policy, logon scripts on something similar.

>

> "XP PC's" do not have passwords, users do in a domain (or user on a local

> host do)

>

> Please explain in more detail what you like to do

>

> rgds,

> Edwin.

>

 

Actually, computer accounts are just like user accounts. They authenticate

to the domain and have passwords. However, the passwords are changed by the

system periodically (every 30 days by default as I recall). More likely the

poster wants to change the local Administrator password on all computers.

This could be done in a logon script, but is not recommended. Most users do

not have permissions to do this so you would need to hard code Administrator

credentials in the script, which risks revealing the password. Best to do it

yourself remotely in a script. See this link:

 

http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul07/hey0703.mspx

 

This uses ADO to retrieve the names of all computers in the domain, binds to

each, and sets the password to the same value on each. The script can be

improved, as noted near the end of the article. Since Domain Controllers do

not have local users, the script will bind to the Domain Administrator user

and reset that password. I would skip all member servers and DC's. The best

way to do that is make sure the string "server" is not in the value of the

operatingSystem attribute. For example, in place of:

 

objCommand.CommandText = _

"SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectClass =

'computer'"

 

I would suggest (watch line wrapping):

 

objCommand.CommandText = _

"SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectClass =

'computer' AND NOT operatingSystem='*server*'"

 

I would also ping each computer, as suggested in the article, and log

activity to a text file.

 

--

Richard Mueller

MVP Directory Services

Hilltop Lab - http://www.rlmueller.net

--

Guest Richard Mueller [MVP]

Guest Richard Mueller [MVP]

Posted
Posted

Re: password change

 

Besides the improvements suggested in the article I linked, I would do

several other things differently. I would not use "On Error Resume Next"

throughout and I would use LDAP syntax in the ADO query. I would also

retrieve sAMAccountName instead of cn, as they are not required to match. My

version follows:

==========

' ResetLocalAdminPwds.vbs

Option Explicit

 

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strComputer

Dim objShell, strFilePath, objFSO, objLogFile

Dim objLocalAdmin, strPassword

 

Const ForWriting = 2

Const OpenAsASCII = 0

Const CreateIfNotExist = True

 

' Specify the new local Administrator password for all workstations.

strPassword = "zxy#213$q"

 

' Specify log file.

strFilePath = "c:\scripts\ResetPwds.log"

 

' Open the log file for write access.

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objLogFile = objFSO.OpenTextFile(strFilePath, _

ForWriting, CreateIfNotExist, OpenAsASCII)

 

' Write to log file.

objLogFile.WriteLine "Program ResetLocalAdminPwds.vbs"

objLogFile.WriteLine "Started: " & CStr(Now())

 

' WshShell object required by Function PingMachine.

Set objShell = CreateObject("Wscript.Shell")

 

' Setup ADO objects.

Set adoCommand = CreateObject("ADODB.Command")

Set adoConnection = CreateObject("ADODB.Connection")

adoConnection.Provider = "ADsDSOObject"

adoConnection.Open "Active Directory Provider"

adoCommand.ActiveConnection = adoConnection

 

' Search entire Active Directory domain.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")

strBase = "<LDAP://" & strDNSDomain & ">"

 

' Filter on computers without a server operating system

strFilter = "(&(objectCategory=computer)(!operatingSystem=*server*))"

 

' Comma delimited list of attribute values to retrieve.

strAttributes = "sAMAccountName"

 

' Construct the LDAP syntax query.

strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

adoCommand.CommandText = strQuery

adoCommand.Properties("Page Size") = 100

adoCommand.Properties("Timeout") = 30

adoCommand.Properties("Cache Results") = False

 

' Run the query.

Set adoRecordset = adoCommand.Execute

 

' Enumerate the resulting recordset.

Do Until adoRecordset.EOF

' Retrieve NetBIOS name of computer.

strComputer = adoRecordset.Fields("sAMAccountName").Value

' Remove trailing "$".

strComputer = Left(strComputer, Len(strComputer) - 1)

' Ping the computer.

If (PingMachine(strComputer, 1, 750) = True) Then

' Bind to local Administrator user on the computer.

' Trap error if unable to bind or set password.

On Error Resume Next

Set objLocalAdmin = GetObject("WinNT://" & strComputer _

& "/Administrator,user")

If (Err.Number = 0) Then

objLocalAdmin.SetPassword strPassword

If (Err.Number = 0) Then

' Restore normal error handling.

On Error GoTo 0

objLogFile.WriteLine strComputer & " password reset"

Else

' Restore normal error handling.

On Error GoTo 0

objLogFile.WriteLine strComputer _

& " ## unable to set password"

End If

Else

' Restore normal error handling.

On Error GoTo 0

objLogFile.WriteLine strComputer _

& " ## unable to bind to local Administrator"

End If

Else

' Computer not available.

objLogFile.WriteLine strComputer & " ## not available"

End If

' Move to the next record in the recordset.

adoRecordset.MoveNext

Loop

 

' Write to log file.

objLogFile.WriteLine "Finished: " & CStr(Now())

 

' Clean up.

objLogFile.Close

adoRecordset.Close

adoConnection.Close

 

Function PingMachine(ByVal strHost, ByVal intPings, ByVal intTO)

' Returns True if strHost can be pinged.

' strHost is the NetBIOS name or IP address of host computer.

' intPings is number of echo requests to send.

' intTO is timeout in milliseconds to wait for each reply.

' Variable objShell has global scope and must be declared and set

' in the main program. Requires WSH 5.6, which comes standard with

' Windows XP and above.

 

Dim strResults

Dim objExecObject

 

' Defaults.

If (intPings = "") Then

intPings = 2

End If

If (intTO = "") Then

intTO = 750

End If

 

' Ping the machine.

Set objExecObject = objShell.Exec("%comspec% /c ping -n " _

& CStr(intPings) & " -w " & CStr(intTO) & " " & strHost)

 

' Read the output.

Do Until objExecObject.StdOut.AtEndOfStream

strResults = objExecObject.StdOut.ReadAll

Loop

 

Select Case InStr(strResults, "TTL=")

Case 0

' No response.

PingMachine = False

Case Else

' Computer responded to ping.

PingMachine = True

End Select

 

End Function

============

The next step would be to code it so it outputs computers where the password

is not reset to a separate text file of "missed" computers. Then you could

run the script repeatedly and it would only attempt to reset the password

for computers in the "missed" file. As the passwords are reset, the

computers are removed from the "missed" file. If there is no "missed" file,

the program resets local Administrator password on all computers. If the

"missed" file exists but has no computer names, the process is complete (all

passwords have been reset). I may work on that later.

 

--

Richard Mueller

MVP Directory Services

Hilltop Lab - http://www.rlmueller.net

--

Guest Vishal

Guest Vishal

Posted
Posted

Re: password change

 

Awesome.

 

Simply Awesome.

 

I havent had a chance to try it - will tell you asap.

Guest Richard Mueller [MVP]

Guest Richard Mueller [MVP]

Posted
Posted

Re: password change

 

 

"Vishal" <Vishal@discussions.microsoft.com> wrote in message

news:650D2392-8B2A-46D8-9A4B-27B90E13CCCC@microsoft.com...

> Thanks, I have read your comments with interest.

>

> Well expressed.

>

> I have navigated to

> http://www.microsoft.com/technet/scriptcenter/scripts/templates/default.mspx?mfr=true

>

> to include ping.

>

> Their are several ping command line scripts. Would "Select and Ping All

> Computers in a Domain" be the right script in question in our scenario?

>

 

I believe the actual link to the program is:

 

http://www.microsoft.com/technet/scriptcenter/scripts/templates/adsi/basic/tmabvb31.mspx

 

The example uses similar techniques. I don't like the use of "On Error

Resume Next". It still queries for all computers, including member servers

and Domain Controllers. It retrieves the value of the cn attribute and

assumes this is the same as the NetBIOS name of the computer. Sure, that is

the case 99% of the time, but still it is not always true. Finally, the page

says the program will work on Windows 98, NT, and Windows 2000 clients.

Sorry, that's not true unless someone has installed WSH 5.6. The older

clients come standard with WSH 5.1, which does not support the Exec method

of the wshShell object used to Ping the computers. The code I posted also

uses that method, but I state that it requires XP or above. For a Ping

function that works on all clients from Windows 95 on (if DSClient is

installed), see the first function in this link:

 

http://www.rlmueller.net/PingComputers.htm

 

--

Richard Mueller

MVP Directory Services

Hilltop Lab - http://www.rlmueller.net

--

Guest Edwin vMierlo [MVP]

Guest Edwin vMierlo [MVP]

Posted
Posted

Re: password change

 

>

> Actually, computer accounts are just like user accounts. They authenticate

> to the domain and have passwords.

 

and that was not clear for me in the OP first post....

Guest Vishal

Guest Vishal

Posted
Posted

Re: password change

 

 

Quick question ... how would I execute this?

 

thanks for your help

 Share
Go to topic listing
×
×
  • Create New...