Changing Local Admin Passwords On Many Workstations

I had a bit of a scare the other day. I get a call from a user in the field. She is traveling with her laptop and she was calling from her hotel. she was complaining that she couldn't log into her laptop using her normal login credentials, and that the only way she could login was using the local administrators account.

"Local Admin what?!?!" I exclaimed then started hyperventilating. I asked her how she came across the local administrator password, and she told me that one of the techs at the company that is no longer with us gave it to her a long time ago. I asked her to spell out the password for me, and low and behold it was the corporate standard.

I ran to my bosses office and reported the compromise, and recommended changing the local passwords. He agreed and called a meeting with me, our head desktop technician and one of the senior systems administrators to come up with a plan of attack. I told them that I can easily change these passwords using a script and pspasswd.exe that comes with Sysinternals PSTools. I told them that I can export a list of all of the workstations on the network from Active directory, and put them in a text file. pspasswd will read directly from the list in the text file and change the password of the specified account on each computer in the list. I showed each of the guys in the meeting how it works, and they agreed that my script would be the best way to go with this.

Here is an example of the syntax used in my script. Keep in mind that this script must be ran from within the directory containing the pspasswd.exe program or else you have to modify the script to change into it's directory. Of course, if you know batch scripting well, you can add all sorts of stuff to the script, but the basic run command looks like this:

>set /p filename="Please enter name of computer list (ie: computers): "
>pspasswd @%filename%.txt -u administrator@domain.com -p password administrator newpassword >> %filename%-results.txt

You'll notice that I added an output to a text file so I could create a log of which workstations the password was changed on, and which ones it wasn't. That is a good idea so you can keep whittling away at it until the change has been completed on all workstations. Also, you'll notice that I added the -u and -p switches. You don't need that if you are already running the script from an account that has permissions to change local passwords. There are many other little changes you can do as well. I used the set command because I had different lists for different offices. You could just put the computer names in one list and not use the set command.

Let me know if you have used this or a similar product, and perhaps some other scripting ideas for this.