Changing the Local Administrator Password

In many network environments, preventing users from having access to the local Administrator account is a good idea. Otherwise, a user could use the account to log on and make unauthorized changes to the system and possibly access unauthorized resources on the network.

A typical scenario for configuring the various user accounts on a network is to establish user accounts that have only the access capabilities required for a user to perform his or her work and to set the local Administrator account password on each machine to something unknown to nonadministrative users. In environments with multiple domains, setting the local Administrator password to a different value in each domain is often a good idea. You should also periodically change the local Administrator passwords.

If your network has dozens, hundreds, or even thousands of machines, changing passwords across all the machines can be challenging, especially if you don't use Active Directory (AD). A reader recently wrote, asking how to perform such a task in an environment without AD. Two ideas come to mind: using a third-party tool or using scripts.

If you prefer the third-party tool option, several tools on the market might fit your needs. Some password-changing tools come as parts of network-management packages, and some are more tailored to the task at hand. Back in October 2001, I mentioned a tool called DCPC, which can change all the local Administrator passwords across a network. Some people have told me they aren't comfortable using it because it's freeware and because it comes from a company that doesn't appear to be very established. I haven't used DCPC and can't vouch for its trustworthiness, but it's still available.

Another tool you might consider is Hyena, which is available from SystemTools Software. Hyena performs a variety of tasks, among them the ability to change local Administrator passwords on multiple machines across a network. I think it's reasonably priced, and according to the Web site, you can download a fully functional evaluation version. Other solutions are undoubtedly available, so do some research and shop around to find a solution that fits your needs.

If you just need to change the local Administrator password on a few machines, consider using cusrmgr.exe, which is available in the "Microsoft Windows 2000 Resource Kit." The tool works for Win2K and Windows NT systems. You can read more about cusrmgr.exe in the Microsoft article "How to Use the Cusrmgr.exe Tool to Change Administrator Account Password on Multiple Computers."

If you don't mind using scripts, try the Win32::AdminMisc Perl module (available at the first URL below), developed by Windows & .NET Magazine author Dave Roth. The Windows & .NET Magazine article "How to Manage Your Enterprise's Passwords the Easy Way" (at the second URL below) explains how to manage local Administrator passwords by using Win32::AdminMisc. The article offers detailed explanations and Perl source code that you can modify to fit your needs.

Be aware that when you use some tools--including scripts--passwords might travel over your network in clear text, which means that someone using a packet sniffer could obtain them. So consider that possibility when choosing a solution for password management.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.