Setting the Local Administrator Password with ConfigMgr Collection Variables

Posted September 30, 2009
Filed under: Uncategorized |

ConfigMgr provides an elegant opportunity to manage the local administrator password using a task sequence, collection variable, a package and a little bit of VBScript.

At the most basic level, we want to be able to manage the password of the local administrator account. We want to be able to set the password to be the same across all machines (security issues aside…). To do this we create a collection variable on the “All Windows Workstation or Professional Systems” ADMINPASSWORD=ourpassword.

This is obfuscated in the console, so can’t be read.

We have a package that just contains a single VBScript:

sNewPassword = Wscript.Arguments(0)

 

Set oWshNet = CreateObject(“WScript.Network”)

sComputer = oWshNet.ComputerName

sAdminName = GetAdministratorName

 

On Error Resume Next

Set oUser = GetObject(“WinNT://” & sComputer & “/” & sAdminName & “,user”)

oUser.SetPassword sNewPassword

oUser.SetInfo

On Error Goto 0

 

Function GetAdministratorName()

 

Dim sUserSID, oWshNetwork, oUserAccount

 

Set oWshNetwork = CreateObject(“WScript.Network”)

Set oUserAccounts = GetObject( _

“winmgmts://” & oWshNetwork.ComputerName & “/root/cimv2″) _

.ExecQuery(“Select Name, SID from Win32_UserAccount” _

& ” WHERE Domain = ‘” & oWshNetwork.ComputerName & “‘”)

 

On Error Resume Next

For Each oUserAccount In oUserAccounts

If Left(oUserAccount.SID, 9) = “S-1-5-21-” And _

Right(oUserAccount.SID, 4) = “-500″ Then

GetAdministratorName = oUserAccount.Name

Exit For

End if

Next

End Function

Our task sequence has a single step to call this script from the package we’ve created. The script takes a single parameter of %ADMINPASSWORD%, read by the task sequencing engine from the collection variable created above.

Obviously, this can be advertised out on a recurring schedule to reset password regularly and the only administrative change required is to replace the collection variable value. It is also easily possible to create different collection variable values for different collections, or even on a per-machine basis if desired, simply set the precedence on the new entry to be higher than the default.

 

Advertisement

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

Please log in to WordPress.com to post a comment to your blog.

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.