I too have been watching this thread for a long time, as we recently faced with a similar challenge. We have about 500 Windows machines in three AD forests (and, therefore, three domains).
On December 06, 2005 3:00 AM Nicolas RUFF [mailto:[EMAIL PROTECTED] wrote: >Why don't you change the local administrator password remotely (using a >WMI script for instance), or even lock down the local administrator >account if your 500 computers are part of a Windows domain ? This was our solution. I wrote a vbscript that, when run with domain admin privileges within each of our domains, does just this and remotely, sidestepping the login script, permissions and encryption issues. Of note, attempting to remotely manipulate local user account information via WMI is foiled by XP SP2 (and Windows 2003 SP1) firewall (unless you have a created a GPO "enabling remote administration exceptions" - which in essence, opens TCP ports 135 and 445, the DCOM and RPC ports). Yet ADSI can make it through the firewall without needing those exceptions. Our script successfully renamed each account with a 500 SID, gave them a very long password then disabled the account. It also created an additional local account, gave it a specified password (could have easily been randomized instead, if required), joined it to the local "Administrators" group, and performed a few other housekeeping items related to that account. - Cathy Sewell --------------------------------------------------------------------------- ---------------------------------------------------------------------------
