The security implications mentioned by Eric obviously cannot be ignored.
Group policy is only one way to do it. It has the advantage that if nothing goes wrong it will eventually be applied to all the target machines but also has the disadvantage that it does not tell you in which machines it has been applied.
An alternative approach is running a batch file from a server. I use an SQL database to select the target machines and include a flag field in the select that is changed after successfully changing the password. This has two advantages.
1. You actually know which machines have been successfully changed.
2. The new password is not accessible by the user.
Obviously the batch file has to be applied several times if some of the machines are unavailable.
To use this method you do not need SQL Server. Alternatives are AD itself or MySQL. You could even use a text file or Access
I enclose the script for anyone that might be interested.
However there is one additional security problem that we have with this method.
We use a telephone support system. Occasionally a machine is inaccessible remotely and support staff supply the password. Obviously this compromises all PCs with this password.
'Massive change of local account password 'Supposes that local adminstrator account is administrador 'Must have registered the SScrRun.dll from www.netal.com (System Scripting Runtime)
option explicit
Dim objShell, objIP, objConn, objRst, strComputer, objNetwork
Dim strCommand, strSQL, objUser, strPassword
Const adOpenStatic = 3
Const adLockOptimistic = 3
If WScript.Arguments.Count <> 1 Then
ShowUsage
WScript.Quit
End If
strPassword = WScript.Arguments(0)
strSQL = "SELECT * FROM hosts WHERE HostServer = 0 AND HostActive = '1' AND
HostType = '1' AND HostFlag1 = '0'"
Set objIP = CreateObject("SScripting.IPNetwork")
Set objShell = WScript.CreateObject("WScript.Shell")
Set objConn=CreateObject("ADODB.Connection")
objConn.Open "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security
Info=False;Initial Catalog=WMIInvent;Data Source=KROLL"
Set objRst=CreateObject("ADODB.RecordSet")
objRst.Open strSQL ,objConn, adOpenStatic, adLockOptimistic
Do While Not objRst.EOF
strComputer=Trim(objRst("HostIpAddress"))
WScript.Echo strComputer
If objIP.Ping(strComputer,,,50) = 0 Then
On Error Resume Next
Set objUser = GetObject("WinNT://" & strComputer &
"/administrador,user")
objUser.SetPassword(strPassword)
If Err <> 0 Then
Wscript.Echo Err.Number & " -- " & Err.Description
Err.Clear
Else
'Success
objRst("HostFlag1") = 1
WScript.Echo strComputer & " updated."
End If
On Error GoTo 0
End If
objRst.MoveNext
Loop
objRst.Close
objConn.Close
Sub ShowUsage
WScript.Echo "Usage: " & WScript.ScriptName & " pwdnuevo"
End Sub
