Hey everyone,

I have two problems.  First let me say that we are running a Windows 2003
Domain and we have about 2000 workstations.  I just came on board as the new
network administrator.  When the old network admin. deployed all the
workstations he did not add an AD acct. as a local admin to any of the
workstations.

Thus, problem #1:

Anyone know of a way to add an AD acct. to each and every workstation and
make it a local admin?


Problem #2:

Anyone know of a product where we can change ALL of the local admin
passwords across the entire organization?


Thanks for any and all input.


Clayton

Show quote Hide quote Here is a way that will resolve both issues.

1. Compile a list c:\PCs.txt of all NetBIOS names.

2. Create the batch file \\SomeServer\SomeShare\SomeFolder\xxx.bat.
Store it in a location that is accessible to domain admins only. Delete
it immediately after use.
@echo off
net localgroup administrators | find /i "YourDomainName\domain users" &&
goto :eof
net localgroup administrators "YourDomainName\domain users" /add
net user administrator SomePassword

3. Run this command from your console:
for /F 'tokens=*"  %* in (c:\PCs.txt) do psexec "\\%*" -u
YourDomain\administrator -p YourPassword
\\SomeServer\SomeShare\SomeFolder\xxx.bat

It is possible to refine this method so that it only contacts
PCs that are on-line, or that it skips PCs that have already
been dealt with, or that it maintains a log of the response
from each PC.

You can get psexec.exe from www.sysinternals.com.

Wouldn't it be easier to use a security template?

Create a new template, and just add a domain user to the local
administrator group.

For changing password I would like to recommend you to the following
thread:

http://groups.google.com/group/microsoft.public.win2000.group_policy/browse_thread/thread/fa90a5a969adbe03/27464b4a15f9fa16?lnk=st&q=change+local+password+remote&rnum=3#27464b4a15f9fa16


good luck!

Yes, it would indeed!


http://groups.google.com/group/microsoft.public.win2000.group_policy/browse_thread/thread/fa90a5a969adbe03/27464b4a15f9fa16?lnk=st&q=change+local+password+remote&rnum=3#27464b4a15f9fa16
Show quoteHide quote

Thanks Jaap for the input!

Can you point me in the right direction to learn how to create a security
template?


Clayton



Show quoteHide quote

Clayton Sutton wrote:
Hi,

Just use a GPO.
http://support.microsoft.com/kb/228496/en-us
http://groups.google.com/group/microsoft.public.windows.server.active_directory/browse_frm/thread/9c0c6c189ad23d2/c85ac7f91d6710ff


HTH
Norbert

1.  I would either look at Restricted Groups, Start-up script or a script
that either did all of this for me or utilised CUSRMGR.

This article explains how to do the first two points I made:
-- http://www.msresource.net/content/view/45/47/


2.  To achieve this point earlier this year, I used the following:

Note.  I was intending to add additional functionality such as rollback,
etc. but had to skip some of it due to the need to get this done.  Therefore
some aspects of the code might not do much:

Please watch out for the line wrap.

' ***************************************************************
' * ResetAllPasswords.vbs          *
' *                *
' * Paul Williams, msresource.net, January 2006     *
' *                *
' * Script pulls all computer accounts from the [default]   *
' * domain and resets the local administrator password on each *
' * one.  Some of the computers might be offline, or there may *
' * no longer be an actual computer for the computer object in  *
' * the directory.  Therefore, a tab-separated file is created *
' * indicating success or failure, as well as the debug log. *
' *                *
' * Success is measured by the script not being in a state of *
' * error on the current iteration of the record set.   *
' *                *
' * Filenames are constants, and the password is a variant   *
' * defined if and when the record set is successfully    *
' * returned.             *
' *                *
' * Version:   1.1.1.         *
' * Last updated:  21-01-2006        *
' * Last updated by: Paul Williams       *
' *                *
' ***************************************************************
Option explicit
'On error resume next

' define constants
const bDebugFlag  = true
const LOG_FILE_NAME  = "ResetAllPasswordsLog.txt"
const ROLLBACK_LOG_NAME = "ResetAllPasswordsRollback.txt"

' define variants
dim oRootDse,oConnection,oCommand,oRs
dim sBase,sFilter,sAttrs,sScope,sQuery
dim oFso,logf,log2

' instantiate objects
set oFso=createObject("Scripting.fileSystemObject")
set logf=oFso.createTextFile(LOG_FILE_NAME,true)
set log2=oFso.createTextFile(ROLLBACK_LOG_NAME,true)
set oRootDse=getObject("LDAP://RootDSE")
set oConnection=createObject("ADODB.Connection")
set oCommand=createObject("ADODB.Command")

' configure connection and command
oConnection.provider="ADsDSOObject"
oConnection.open"Active Directory Provider"

' configure command to use active connection
oCommand.activeConnection=oConnection
'set oCommand.activeConnection=oConnection

' define filter
sBase = "<LDAP://"&oRootDse.get("defaultNamingContext")&">;"
sFilter = "(objectCategory=computer);"
sAttrs = "distinguishedName,cn,whenChanged,whenCreated;"
sScope = "subtree"

sQuery = sBase&sFilter&sAttrs&sScope
debug"ADO Query : "&sQuery


' set command properties
oCommand.commandText     =sQuery
oCommand.properties("Page Size")  =100
oCommand.properties("Size Limit")  =10000
oCommand.properties("Timeout")    =30
oCommand.properties("Cache Results")  =false

' execute command
set oRs=oCommand.execute

' test to see if oCommand executed
if(isNull(oRs))then
' do nothing, as query yielded no results
sResult="ERR_RECORD_SET_IS_NULL"
debug sResult
else
dim dn,cn,whenChanged,whenCreated
dim sProvider,sPassword,sResult
dim oUser

sPassword="aC0mpl3xP@55w0rd!"
debug"Password : "&sPassword

log2.writeLine("Computer"&vbTab&"Status")

' check to see there are records
if(not oRs.eOF)then
  oRs.moveFirst

  ' iterate record set
  while not oRs.eOF
      dn=oRs.fields(0).value
      cn=oRs.fields(1).value
      whenChanged=oRs.fields(2).value
      whenCreated=oRs.fields(3).value

      debug"dn : "&dn
      debug vbTab&"cn : "&cn
      debug vbTab&"whenCreated : "&whenCreated
      debug vbTab&"whenChanged : "&whenChanged

      if(dn<>"" and cn<>"")then
       sProvider="WinNT://"&cn&"/Administrator"
       debug vbTab&"provider : "&sProvider

       set oUser=getObject(sProvider)
    oUser.setPassword(sPassword)

       if(err.number<>0)then
        ' error thrown.  assume failure
        debug vbTab&"error thrown.  assume failure"
        err.clear
        log2.writeLine(cn&vbTab&"Failure")
       else
        ' no error thrown.  assume success
        debug vbTab&"password successfully set"
        log2.writeLine(cn&vbTab&"Success")
       end if
      end if

      debug""

      oRs.moveNext
  wend
else
  sResult="ERR_RECORD_SET_IS_EMPTY"
  debug sResult
end if
end if



' ***********************************************
' debug(string messageToEcho)
'
' Sub echos the passed string.
'
' Sub used for outputting all debugging
' information to the screen/ console.
'
' bDebugFlag is a constant.  Set to true for
' debugging info.  Set to false when in
' production.
'
' ***********************************************
Private Sub debug(sMessage)
if(bDebugFlag)then
  wscript.echo sMessage
  if(sMessage<>"")then
   logf.writeLine(date&vbTab&time&vbTab&sMessage)
  else
   logf.writeLine(sMessage)
  end if
end if
End Sub

Sites and Services problem with 2003 Server
New employee, same computer -- what to do?
ADAM sync problem
Adding a local computer account into AD
restore sysvol
KDC Event ID 11
folder redirection, moving to new folders
Elevated Privileges
DCDIAG Forwarders/Root hints failing?
OWA only showing unread messages