Part 4: Managing Local Administrator Passwords

Overview

This is Part 4 of a multi-part series on managing local admin passwords. In this part I will discuss how to update the password of a local user account using PowerShell.  In case you missed it:

Here is Part 1 - Overview

Here is Part 2 - Random Password Generation

Here is Part 3 - Secure Active Directory Attribute Update

If you want to skip straight to the script you can copy it from this post directly, or you can download the script which is attached to this post as a text file.

The Problem

To manage the passwords for an enterprise environment, any comprehensive local admin password management solution must include a way to programmatically update the password of the local administrator account with a new password when needed..

The Solution

The following function will update the password for any account specified in $AccountName with the value of the password specified in $Password

#==================================================================================
# Set Local Admin Password
#==================================================================================
function fnSetAdminPassword
{param([string]$AccountName,[string]$Password)
   
    try{
        #Connects to local admin account and sets password
        ([ADSI]$Admin=”WinNT://$env:COMPUTERNAME/$AccountName”); $Admin.SetPassword("$Password")

        #Log Output
        #fnLog -LogPath $LogDir -LogFileName $LogFileName -Data "INFO: Successfully Updated Local Admin password"

        #Return Code
        Return "SUCCESS"
    }
    catch{

        #Log Output
        #fnLog -LogPath $LogDir -LogFileName $LogFileName -Data "ERROR: Unable to set local admin password"

        #Return Code
        Return "ERROR"
    }
}

Below is a screenshot of the preceding function updating a local account called localadmin to a password of mySecur3P@SSw0rd on a machine called EX01.

The keen observer may have noticed that I commented out the fnLog function in the example script above. The function above is a part of a larger local administrator password management solution which I will continue to reveal in the next part of this series. What you have so far is a configurable random password generator which can be integrated into pretty much any random password script, a cryptographically random character generator which can also be used for many different purposes, a means to securely transmit the password to Active Directory using Kerberos to secure the data in transit, and a programmatic way to update any local account on a workstation or server with the password of your choosing. 

Limitations

The account running the script must have the rights needed to update the password for the target account. Additionally, the target account name must exist for the update to succeed.

Still to Come

The upcoming parts in this series will explain how to do the following:

  • Write a log file that logs the success and failure of each function
  • Create a confidential attribute to store the local admin password
  • Create fnMain to control the order in which all of the functions are called
  • Create a XAML based secure password viewer to retrieve the local admin password

Each portion of the solution is modularized using functions which allows the IT administrator to make use of all or just parts of the solution and allows the IT administrator to easily integrate any portion they wish into a larger script or even a different solution entirely. So stay tuned as Part 5 discusses how to log the success or failure of each function using PowerShell.

fnSetAdminPassword.txt

Comments

  • Anonymous
    February 17, 2014
    Overview In this multi part series I will walk you through how to manage the local admin password
  • Anonymous
    February 17, 2014
    Overview This is Part 5 of a multi-part series on managing local admin passwords. In this part I will
  • Anonymous
    April 02, 2014
    This is Part 6 of a multi-part series on managing local admin passwords. In this part I will discuss how to extend the Active Directory schema to create a new confidential attribute which is where the workstation's local administrator password will
  • Anonymous
    May 13, 2014
    This is Part 7 of a multi-part series on managing local admin passwords. In this part I will provide
  • Anonymous
    May 15, 2014
    Pingback from Manage Local Admin Passwords – Additional Comments | JohanPersson.nu
  • Anonymous
    August 12, 2014
    This is Part 8 and the final part of a multi-part series on managing local admin passwords. In this part
  • Anonymous
    October 07, 2014
    there is: Part 4: Managing Local Administrator Passwords
    should be: Part 4: Update Local Account's Password ?