Server 2003 GPO batch

[M4rlin]

Hello all,

I am very new to GPO's but I have been doing a lot of reading today and yesterday. It has all gotten me this far, but I am now really stuck. No one else around here really has a lot of experience with GPO's except for one guy, and he can't tell me why this isn't working either.

I was tasked with changing all local admin passwords for all domain computers (some 150+ workstations). I was told to do it with GPO, so I assumed it was one of the editable settings, thought it would take 5 min. Come to find out this feature is not built into GPO, ok no problem, I start reading into scripts.

After seeing many examples in .vbs format, I find an awesome simple command that can be easily made into a batch file.

Code:

net user administrator password

This command needs admin rights to run; I read that if I set this script as a startup in computer settings, it will run under the "Local System Account" which has admin rights to run it properly. (ref:http://www.petri.co.il/forums/archiv...hp/t-1827.html user: azmantek)

Here is where I stand now.

I know the batch works because I can run it locally and it will do the job. I assume the GPO is being pushed because when I lookup 'Group Policy Results' on a specific system, the GPO shows under 'Applied GPOs', but still no password change.

As a further test I added a

Code:

 > \\192.168.1.1\share\%computername%.txt

to verify if it was attempting and just didn't have the rights. When it worked (locally) I got a txt file with the system name and "The command was successful.. whatever", and when I ran it without admin rights I got a blank file. So I first do a gpupdate /force, then a reboot, then I check the shared folder for an output file and nothing. This makes me assume it isn't even running the batch file.

I am I going about this all the wrong way? Thank you in advance.

note; the .bat file is in a network share with 'everyone' read access.

[NooNoo]

Welcome to Windrivers M4rlin

Why not use the tool supplied in the resource kit - cusrmgr, I know it says 2000, but it should be on the 2003 kit as well and is quoted the guidance page here for 2k3

[M4rlin]

Thank you for the Welcome NooNoo, but for me it is a Welcome back. I used windrivers (forums and driver database) years back, but stopped using when internet.com rolled into town and started charging for the driver access. The reason for the new account is because I was at work and I can't check my webmail from there so a forgot password wouldn't have helped.

After reading the link it seems that I would have to do the same thing as I am doing, making a .bat and pushing it with GPO. If it turns out my issue here is with the .bat command (net user administrator password), and my GPO setup is fine, then this will be the first thing I try. I would try it now with a new test GPO but I am already done and home for the day. Thanks again for fast reply.

[FastAndFurious]

Ok, there we go, it says my last login was August 5th, 2003; so it has been a while.


*Edit
Things are going pretty slow too, I posted a replay as M4rlin several minutes before this one.

[NooNoo]

If you want the accounts merging, pm Richard1 with details of both and which one you want to use... and WB

[FastAndFurious]

If you want the accounts merging, pm Richard1 with details of both and which one you want to use... and WB

That won't be necessary, but Thank you for the offer.

[FastAndFurious]

Ok, I decided mabye the batch command just wasn't cutting it, so I found a nice VBS instead. I tested this and it works great locally, yet when I throw it into a GPO, same stuff as before.

Code:

strComputer = "."
    strAdminUsername = "Administrator"
    Set objUser = GetObject("WinNT://" & strComputer & "/" & strAdminUsername)
    objUser.SetPassword "x%tY7iu8%4f"

This script, like that last, relies on the local SYSTEM account for running with admin rights. Is it possible that the local SYSTEM account is disabled?

[NooNoo]

err you would have to go look at a few machines to find out I guess...but why not just run it as local admin?

[FastAndFurious]

That would be great, I didn't know that was an option. I figured anything beginning run during startup is just preformed by the built in SYSTEM account. If that makes sense.

[NooNoo]

yep you can

[CeeBee]

The SYSTEM account has no access to network resources. Anything that needs to access a domain resources must run as a user that is valid in the domain.

[FastAndFurious]

Thank You NooNoo, but I have already been down that long and disapointing road today. My idea was to move the .bat file to the Logon instead of Startup option; and it worked, almost. See, GPO then correctly ran my script, but it runs it has that logged on user's rights, so while I was getting a lot of output files that it had been run, they were all blank, meaning the user didn't have the rights to run the .bat.

So I next created a second .bat file using the RUNAS command.

Code:

runas /profile /user:admin "\\192.168.1.1\scripts$\pwdchange.vbs"

(I accually got it from the same site as your link.) But the issue with that is it then requires user action to enter the admin password. The rest of the time was used looking for a way to insert the password into the .bat file to auto run.

[NooNoo]

err no... read the entire page... it tells you that won't work..

[FastAndFurious]

err no... read the entire page... it tells you that won't work..

I saw that, but I also know that there is almost always a way around everything. I read somewhere that a simple ECHO command will enter the password, but that did no good.

The SYSTEM account has no access to network resources. Anything that needs to access a domain resources must run as a user that is valid in the domain.

That makes logical sense, but then how would any GPO startup script run properly (that required admin rights)?

[NooNoo]

Read the page... all you have to do is call the script host first.