Change Local Administrator Passwords via Script

I previously used the GPO to update the local admin password on domain PCs when needed. This was a straightforward and simple solution...until Microsoft removed this option and left us without a suitable alternative. So I'm now looking to see if Kace can be used to change the password of the local administrator on our computers. I'm assuming this will be in the form of a script (which is not my thing unfortunately), but I'm also unsure of how that script is deployed. Any help would be greatly appreciated. Thanks!

0 Comments   [ + ] Show comments

Answers (2)

Posted by: Alex_ 3 years ago
Senior White Belt
MS left you a suitable alternative: LAPS.
When we wanted to change the local passwords we deployed LAPS which is now doing this for us on its own according to the parameters it got. And it is working fine.        

  • Thanks Alex_. I think I will look into this as a possible solution - can you confirm if you are able to set your own password via LAPS, or if it can only be set to a random password? - seanboy 3 years ago
    • I am not sure if it will let you set a manual static password, but a better question would be. “Why would you want to?”
      If you manually set it, you have to manually update it constantly AND lots of machines now all have the same password.

      Is there some reason you have to constantly use a local admin password where you NEED it to be a static password common to all (or most) machines? - Thorvin 3 years ago
      • LAPS is not supposed to let you set a custom password on your own. You can chose between 4 different Complexities:
        1 - large letters
        2 - large letters + small letters
        3 - large letters + small letters + numbers
        4 - large letters + small letters + numbers + special chars
        Based on the complexity LAPS will generate an random password. - Alex_ 3 years ago
  • Thanks for the info guys. So just to confirm, and this is hypothetical, if you had to go and hit 20 office AD PCs to perform some kind of manual task, you would first have to check in AD and retrieve the 20 unique passwords for each of those PCS? - seanboy 3 years ago
    • LAPS is only for the local Admin Accounts.
      If you havge a connection to your Domain and can use an AD Account which is admin on those 20 PCs then you dont need to get the password from LAPS.

      But yes, if you don't have a connection to the AD then you would need the password for each PC from AD.
      Don't know if thats a real help but LAPS has a small client to fetch the password for a PC from AD based on the clientname so no need to go and check each AD object for the password. - Alex_ 3 years ago
      • Thanks Alex_! - seanboy 3 years ago
Posted by: scarpent 3 years ago
6th Degree Black Belt
We run 2 batch files to do this because we change our password every 3 months:
Powershell -command "& {$hostname = hostname;([adsi]('WinNT://'+$hostname+'/insert local account name')).SetPassword('insert new password')}"
REG ADD "HKLM\SOFTWARE\DELL\KACE" /v "insert local account name_PW" /t REG_SZ /d 3 /f

Once it runs we use this cleanup file to remove the batch under Dell Kace so that nobody can access the bat file:
powershell -command "& {Start-Sleep 30;remove-item -path $env:Programdata\dell\kace\kbots_cache\packages\kbots\236\insert name of bat file -force}"

  • Thanks Scarpent. That is really useful to know! - seanboy 3 years ago
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ