/build/static/layout/Breadcrumb_cap_w.png
09/06/2017 3894 views
I previously used the GPO to update the local admin password on domain PCs when needed. This was a straightforward and simple solution...until Microsoft removed this option and left us without a suitable alternative. So I'm now looking to see if Kace can be used to change the password of the local administrator on our computers. I'm assuming this will be in the form of a script (which is not my thing unfortunately), but I'm also unsure of how that script is deployed. Any help would be greatly appreciated. Thanks!
0 Comments   [ + ] Show comments

Comments



Community Chosen Answer

2
MS left you a suitable alternative: LAPS.
When we wanted to change the local passwords we deployed LAPS which is now doing this for us on its own according to the parameters it got. And it is working fine.        
Answered 09/07/2017 by: Alex_
Senior White Belt

  • Thanks Alex_. I think I will look into this as a possible solution - can you confirm if you are able to set your own password via LAPS, or if it can only be set to a random password?
    • I am not sure if it will let you set a manual static password, but a better question would be. “Why would you want to?”
      If you manually set it, you have to manually update it constantly AND lots of machines now all have the same password.

      Is there some reason you have to constantly use a local admin password where you NEED it to be a static password common to all (or most) machines?
      • LAPS is not supposed to let you set a custom password on your own. You can chose between 4 different Complexities:
        1 - large letters
        2 - large letters + small letters
        3 - large letters + small letters + numbers
        4 - large letters + small letters + numbers + special chars
        Based on the complexity LAPS will generate an random password.
  • Thanks for the info guys. So just to confirm, and this is hypothetical, if you had to go and hit 20 office AD PCs to perform some kind of manual task, you would first have to check in AD and retrieve the 20 unique passwords for each of those PCS?
    • LAPS is only for the local Admin Accounts.
      If you havge a connection to your Domain and can use an AD Account which is admin on those 20 PCs then you dont need to get the password from LAPS.

      But yes, if you don't have a connection to the AD then you would need the password for each PC from AD.
      Don't know if thats a real help but LAPS has a small client to fetch the password for a PC from AD based on the clientname so no need to go and check each AD object for the password.

All Answers

0
We run 2 batch files to do this because we change our password every 3 months:
Powershell -command "& {$hostname = hostname;([adsi]('WinNT://'+$hostname+'/insert local account name')).SetPassword('insert new password')}"
REG ADD "HKLM\SOFTWARE\DELL\KACE" /v "insert local account name_PW" /t REG_SZ /d 3 /f

Once it runs we use this cleanup file to remove the batch under Dell Kace so that nobody can access the bat file:
powershell -command "& {Start-Sleep 30;remove-item -path $env:Programdata\dell\kace\kbots_cache\packages\kbots\236\insert name of bat file -force}"


Answered 09/07/2017 by: scarpent
5th Degree Black Belt

  • Thanks Scarpent. That is really useful to know!