Updating all Local Administrator passwords across the domain

Scenario

You used to use startup scripts to update all Local Administrator passwords throughout your domain, but now that you think logon scripts are the Devil’s work, you need another way of doing it.

I mean, look at the code…it’s not heavenly is it:

Set SatanNet = WScript.CreateObject("WScript.Network")
strComputer = "."
Set LuciferUser = GetObject("WinNT://" & strComputer & "/Administrator,user")
LuciferUser.SetPassword "PASSWORD'o'HELL" ' Enter new password between brackets
LuciferUser.SetInfo

Here’s a nicer, flame-resistant solution:

Solution

Like before where we used GPO to control the local administrators group, we can use the same Group Policy Preferences to update the Local Administrator passwords on all computers in the domain.

  1. Create a new GPO and navigate to Computer Configuration > Preferences > Control Panel Settings > Local User and Groups.
  2. Right-click in the space and choose New > Local User.
  3. Making sure the Action is Update, select Administrator (built-in) from the User name dropdown menu, then enter the new password twice:
  4. Test your new Group Policy Object on a test computer first, then all being well, attach the GPO to a higher level OU, or even add the same settings to an existing GPO.