Powershell Change The Local Administrator Account/Password

Back in May of 2014 Microsoft released a windows update – MS14-025 – that removed the ability to push out passwords to workstations remotely using group policy due to issues with elevation of privilege. If that patch is applied it’s a rather large pain to change the local admin after that without something like SCCM in place.

After working through some similar issues and reading a few TechNet Articles I decided to build a quick and slightly dirty powershell script to do several things as needed. This particular script does the following:

  1. Renames the Administrator Account on a specified computer.
  2. Resets the password of that account on the specified computer.
  3. Enables or Disables the default Administrator account.
  4. Creates a Dummy Account called “Administrator” that has no rights with a static password of “P@ssword1”

What this script DOESNT do:

  1. Provide flexibility to if the password is set to expire or not.
  2. Encrypt well, anything. It’s all in raw plain text. Some other day I might go back and encrypt the password that is sent to the local administrator account.
  3. Currently process a list of computers – It could though the logic is there just not tested and used.

$computers = Read-Host “What is the Computer Name?” #Enter the name of the computer you would like to modify
$userPW = Read-Host “What is the Password you would like to set?” #Enter the password you would like to set for the Administrator account.
$CurrentAdmin = Read-Host “What is the Current Administrator Name?” #Enter the name of the current administrator account.
$DisableDefaultAdminAccount = Read-Host “If you like to Enable the Default Administrator Account enter 0. If you would like to DISABLE the account enter 2” #Enter the status you would like the Administrator account to have. Enabled or Disabled.
foreach ($computer in $computers) { #This doesn’t need to be a function, I left it like this as it doesn’t hurt anything and if I Wanted to come back and actually create a LIST of computers I could.
if (test-connection -computername $computer -quiet) {
try {
$localAdmin = [ADSI](“WinNT://” + $computer + “/” + $CurrentAdmin + “,User”)
if($DisableDefaultAdminAccount -eq ‘0’){
$LocalAdmin.UserFlags = 65536 # UserFlags Value for the account to be active with a password set to never expire.
$localAdmin.CommitChanges() # Commit the change
}
Else {
$LocalAdmin.UserFlags = 66083 #UserFlags Value for the account to be Disabled with password set to never expire.
$localAdmin.CommitChanges() # Commit the change
}
$localAdmin.psbase.rename(‘SuperAdmin’)
$localAdmin.setpassword($userPW)
Write-Host “Successfully Renamed Administrator Account on $computer” -fore green
$ObjComputer = [ADSI](“WinNT://” + $Computer)
$DummyUser = $OBJComputer.Create(“User”, “Administrator”)
$DummyUser.setPassword(“P@ssword1”)
$DummyUser.SetInfo() #Commit this change of a new account with this password to the SAM DB – this makes the account visable and actable upon
$DummyUser.Description = “Dummy Account” #Update the description of the account once commited to SAM
$DummyUser.UserFlags = 66083
$DummyUser.CommitChanges() # Commit the change of disabled and the description.
Write-Host “Successfully Created Administrator Account on $computer” -fore green
}
catch {
Write-Host “$_” -fore red
}
}
else {
Write-Host “Ping Failed to” $computer
}
}

Some other future developments may include randomizing the password that is provided encrypting it and storing it somewhere.

Please note as with everything posted here this is published as is and doesn’t promise support or that it will work well or properly even within your environment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: