Anyone know of a GPO that allows the resetting of all local admin passwords?

There is no group policy to reset _all_ local admin passwords.

Any other questions? ...

There is no group policy to reset _all_ local admin passwords.

Any other questions? ...

Is there a GPO to reset individual local admin passwords? What about all local admins for each machine?

it can't be set in a policy.

what about setting the command

NET USER Administrator NEW_PASSWORD

to execute in a policy?

policies don't do that shit.

if you got local access to the machine, then a bootable linux app cd will handle that nicely. check out the list of utilities here to get an idea:

http://www.petri.co.il/forgot_administrator_password.htm

cusrmgr.exe (command line user manager) can change user passwords remotely from the command line. It'd take about 30 seconds to dump the list of system names you want to do this to into a text file and then run a looping batch file to change them all.

Otherwise, you could also look to third party tools. At the high end, something like Configuresoft's ECM can handle that and a whole lot more for the low low list price of about $900 per managed server and $50 per managed workstation. Come to think of it you probably need more than just the password requirement to consider paying $$$'s for a tool. Ouch.

cusrmgr.exe (command line user manager) can change user passwords remotely from the command line. It'd take about 30 seconds to dump the list of system names you want to do this to into a text file and then run a looping batch file to change them all.

Otherwise, you could also look to third party tools. At the high end, something like Configuresoft's ECM can handle that and a whole lot more for the low low list price of about $900 per managed server and $50 per managed workstation. Come to think of it you probably need more than just the password requirement to consider paying $$$'s for a tool. Ouch.

how do you do this using cusrmgr.exe, details please?

how do you do this using cusrmgr.exe, details please?

Mind I ask why do you want to know this? I smell something fishy, or you must be one unlucky person that shouldn't be, but got stuck with managing group policies and such.

how do you do this using cusrmgr.exe, details please?

Here's a pretty good article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;272530

I'd simply change the batch file to be a one line loop that reads computer names input from a text file and calls another batch file to execute the command, but the function is otherwise the same.

Here are two examples:

******RUN.BAT******************

@echo off

FOR /F "eol=; " %%i IN (input.txt) DO CALL adminpwd.bat %%i


*****END RUN.BAT *************

*****ADMINPWD.BAT******

@Echo off
CLS

REM Test if already done

ECHO ADMIN PWD ---- Checking log for %1...
FIND /C /I "%1" %0\..\done.txt > nul
IF NOT ERRORLEVEL 1 GOTO SKIP

REM Test Ping

ECHO ADMIN PWD ---- Locating %1 on Network...
PING %1 > %0\..\temp.txt
FIND /C /I "Reply from" %0\..\temp.txt > nul
IF ERRORLEVEL 1 GOTO ERROR


REM Change Password

ECHO ADMIN PWD ---- Changing Password...

%0\..\cusrmgr.exe -u administrator -m \\%1 -P passwordgoeshere
IF ERRORLEVEL 1 GOTO ERROR



REM Log completion

ECHO ADMIN PWD ---- Logging success for %1...
ECHO %1 >> %0\..\done.txt
GOTO END


:ERROR
REM Log error

ECHO ADMIN PWD ---- Logging error for %1...
ECHO %1 >> %0\..\missed.txt
GOTO END

:SKIP
REM Log Skip

ECHO ADMIN PWD ---- Logging skip for %1...
ECHO %1 >> %0\..\skipped.txt

:END

SLEEP 1

*****END ADMINPWD.BAT*******


****INPUT.TXT******
computer1
computer2
computer3
*****END INPUT.TXT*****

I wrote this batch file a while ago. It requires netdom.exe, alive.exe, and cusrmgr.exe. It gets a list of all computers in the domain, checkes whether or not they are on, and sets the administrator password to whatever you want (and makes a log)...


@echo off
rem -------------------------------------------------------------
rem | 2003.08.23 - Kory Sarnelli |
rem -------------------------------------------------------------

set NEWPASS=NewPassword

set logfile=changeadminpassword.log
if exist %logfile% del %logfile%

echo Getting list of computers in domain...
echo.
for /f "skip=7 tokens=2 delims=\" %%i in ('netdom member') do (
call :changepword %%i

)

pause

goto end

:changepword
echo Checking if %1 is alive...
alive /Timeout=1 /Repeat=1 %1 >nul
if %errorlevel% EQU 0 (
call :changepword2 %1
) else (
echo %1 - FAILED: Computer is off.
echo %1 - FAILED: Computer is off.>>%logfile%
)
echo.
goto end


:changepword2

echo Changing Adminstrator password on %1
cusrmgr -u administrator -m %1 -P %NEWPASS% >nul
if %errorlevel% EQU 0 (
echo %1 - SUCCESS: Password was changed.
echo %1 - SUCCESS: Password was changed.>>%logfile%
) else if %errorlevel% EQU 2221 (
echo %1 - FAILED: Administrator account does not exist.
echo %1 - FAILED: Administrator account does not exist.>>%logfile%
) else (
echo %1 - FAILED: Unknown error - %errorlevel%.
echo %1 - FAILED: Unknown error - %errorlevel%.>>%logfile%
)
goto end

:end

Korpse - That's a more elegant solution than my batches.

My only excuse is that I use the same batch logic for bunch of different stuff so I tend to be lazy and not write stuff quite up to the level that you've shown.

Anyone know of a GPO that allows the resetting of all local admin passwords?
with a gpo you can rename the admin, but you cannot change the password

To perform this task for all computers in an OU; something like this might work?


Set objOU = GetObject("LDAP://OU=YourOU, DC=YourDomain, DC=com")
objOU.Filter = Array("Computer")
For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("NeWPassWoRd!")
Next