Kaseya Community

Local Admin password keeps expiring

  • Hello. to all. Looking for a little help.

    I remember seeing a post before on this topic, several months ago, but could not find it this morning. So please forgive the duplciate post.

    The vast majority of our Agenst are members of a domain, and the Credential used for Kaseya is a domain account. No problem here.

    But we probably have 200 machines that are just WORKGROUP members. Most often, these are 1-4 machiens that a client has a some remote office, that were setup long before we ever started working with them.

    For these WORKGROUP machines, I am having a problem with the password expiring for the local admin account.

    As part of our Kaseya Agent setup, we use the Kaseya ->Remote Cntl->Reset Password screen to create a new local account, as an administrator. Then we use the Kaseya ->Credential screen to enter that same acount as the Credential, and we test it, and it shows Passed. Then we use the Kaseya->Patch Mgmt->Patch Status screen to test patching, and it shows Passed.

    Patch Management will work fine for some time. I am not exactly shure how long, it i is definately several weeks. Then at some point, we see that Patches are Failing due to invalid credential.

    I then go to Kaseya ->Credential screen , run a test, and it Fails. I go to the Kaseya ->Remote Cntl->Reset Password screen and reset the password (to the same value it was before). Then I go to Kaseya ->Credential screen and we test it, and it shows Passed. Then we use the Kaseya->Patch Mgmt->Patch Status screen to test patching, and it shows Passed. Then patchign will work again.

    It seems to simply be a case of the password expiring on the local machine for the lcoal admin account that we set via Kaseya.

    I remember seeing a post before on this topic, several months ago, but could not find it this morning. So please forgive the duplciate post. I beleive someone had said this was a known problem, and they used a free 3rd party too to somehow set the lcoal admin account so the password never expires. But then it turned out that 3rd part app was no longer free.

    Questions:

    1) Is anyone else experiencing this same problem?

    2) what are you using/doing to address it?

    As always, thanks in advance.

    Lloyd

    Legacy Forum Name: Local Admin password keeps expiring,
    Legacy Posted By Username: lwolf
  • We create our account, add to local admin group and set the password to not expire in a script that runs when the agent is installed.

    This site has a VB script to disable the password expiration on a local account:

    http://www.markwilson.co.uk/blog/2004/09/script-to-disable-password-expiry-for.htm


    Script Name: CreateAgentAdminAccountLocal
    Script Description: Creates agent admin account and sets password to never expire

    IF True
    THEN
    Pause Script
    Parameter 1 : 30
    OS Type : 1
    Execute Shell Command
    Parameter 1 : net user ADMINUSERNAME PASSWORD /add
    Parameter 2 : 1
    OS Type : 1
    Execute Shell Command
    Parameter 1 : net localgroup Administrators ADMINUSERNAME /add
    Parameter 2 : 1
    OS Type : 1
    Write File
    Parameter 1 : c:\temp\nopwdexp.vbs
    Parameter 2 : VSASharedFiles\nopwdexp.vbs
    OS Type : 1
    Execute Shell Command
    Parameter 1 : wscript //B c:\temp\nopwdexp.vbs /domain:%computername% /user:ADMINUSERNAME
    Parameter 2 : 1
    OS Type : 1
    ELSE

    Legacy Forum Name: How-To,
    Legacy Posted By Username: rkniffin
  • rkniffin,

    Thank you very much. I think that will solve our problem.

    Lloyd

    Legacy Forum Name: How-To,
    Legacy Posted By Username: lwolf
  • rkniffin (and others),

    I implemented the solution above, and it seems to be working fine.

    But, I just noticed that, on machines running Windows Vista, when I look at the account in Control Panel->User accounts->Manage User Accounts, double-click the account, select Group Membership tab, it shows the account as Standard User.

    But, If I select the Advanced tab and click the Advanced button, and select the account, it shows as being a member of the Administrators group.

    So in one place it looks right, and in the other place it looks wrong.

    Is anyone else seeing this?

    Lloyd

    Legacy Forum Name: How-To,
    Legacy Posted By Username: lwolf
  • I also added this line to remove the Users group. Otherwise this user is a restricted users instead of an Administrator.

    Execute Shell Command
    Parameter 1 : net localgroup Users ADMINUSERNAME /delete
    Parameter 2 : 1
    OS Type : 1

    Legacy Forum Name: How-To,
    Legacy Posted By Username: b.vanloenen@jms.nl
  • AddUser.zip
    I created this program in C++ to solve the creating user issue. Here's what it does:

    1. Creates a new local user without a expiring password
    2. Adds the newly created user the local administrators group

    It doesn't not hide the account from the welcome screen yet. I'll probably add that in the next update. It should work on Windows 2000 and up. But I haven't tested it on Windows 2000 or Windows servers

    Matt

    Legacy Forum Name: How-To,
    Legacy Posted By Username: connectex
  • AddUser1.1.zip
    Here's AddUser.exe version 1.1. It has the option to hide the new account for you.

    Just use /? to get help.

    Matt

    Legacy Forum Name: How-To,
    Legacy Posted By Username: connectex
  • b.vanloenen@jms.nl
    I also added this line to remove the Users group. Otherwise this user is a restricted users instead of an Administrator.

    Execute Shell Command
    Parameter 1 : net localgroup Users ADMINUSERNAME /delete
    Parameter 2 : 1
    OS Type : 1


    This additional step fixed the issue in Vista with the account showing as a standard user.

    Thanks for everyone's contribution. This has been a bugbear of mine for a while.


    Script Name: Create/Hide Local Admin
    Script Description: 1. Creates Local User "KASEYAADMIN"
    2. Adds KASEYAAdmin to the LOCAL administrators group and deletes it from the USERS group
    3. Hides KASEYAAdmin so it will not be displayed on the login menus
    4. Sets the user as NON-Expiring

    IF True
    THEN
    Execute Shell Command
    Parameter 1 : net user KASEYAADMIN /del
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user KASEYAADMIN KASEYAADMINPASSWORD /add
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net localgroup administrators KASEYAADMIN /add
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net localgroup users KASEYAADMIN /delete
    Parameter 2 : 1
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\KASEYAADMIN
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Write File
    Parameter 1 : #vagentconfiguration.agenttempdir#\nopwdexp.vbs
    Parameter 2 : VSASharedFiles\VBS Scripts\nopwdexp.vbs
    OS Type : 0
    Execute Shell Command
    Parameter 1 : wscript //B #vagentconfiguration.agenttempdir#\nopwdexp.vbs /domain:%computername% /user:KASEYAADMIN
    Parameter 2 : 1
    OS Type : 0
    Delete File
    Parameter 1 : #vagentconfiguration.agenttempdir#\nopwdexp.vbs
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : Kaseya Admin Account KASEYAADMIN created as non-expiring user
    OS Type : 0
    ELSE


    Legacy Forum Name: How-To,
    Legacy Posted By Username: smbtechnology
  • Using the AddUser utility, is there a way to:

    a) Update the password for an existing user?

    b) Assume it does not delete a user, is there another util to delete a user?

    Legacy Forum Name: How-To,
    Legacy Posted By Username: sbbssoft
  • No there's no delete option. And no it's doesn't provide for a password change either. That's one I thing I should add though. The main reason I wrote it was to create the account with a longer passwords. Seems Kaseya and the net user command only allow up to 14 characters.

    BTW, here's a reference for the net user command. It will allow you to do the delete and password change (but only up to 14 character passwords).

    http://support.microsoft.com/kb/251394

    Matt

    Legacy Forum Name: How-To,
    Legacy Posted By Username: connectex
  • connectex
    No there's no delete option. And no it's doesn't provide for a password change either. That's one I thing I should add though. The main reason I wrote it was to create the account with a longer passwords. Seems Kaseya and the net user command only allow up to 14 characters.

    BTW, here's a reference for the net user command. It will allow you to do the delete and password change (but only up to 14 character passwords).

    http://support.microsoft.com/kb/251394

    Matt

    Just viewed the MS KB. KB references command is only for servers?

    --

    You can use the net user command to create and modify user accounts on computers. When you use this command without command-line switches, the user accounts for the computer are listed. The user account information is stored in the user accounts database. This command works only on servers.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: sbbssoft
  • It's supported on all Microsoft server and workstation OSes (2000 and higher).

    To delete a user: net user /delete

    To change a password: net use

    Note: you can use a * instead of the password on the command line if you prefer it to prompt you for the new password.

    BTW, I think I will change AddUser program to be able to delete and change passwords. I can't say how fast I'd get it revised as I have a quite heavy load this week. I also feel I should give it a new name, since will do more then just adding a user account, and it will require some command line parameter changes/enhancements.

    Matt

    Legacy Forum Name: How-To,
    Legacy Posted By Username: connectex
  • User-v1.0.zip
    sbbssoft
    Using the AddUser utility, is there a way to:

    a) Update the password for an existing user?

    b) Assume it does not delete a user, is there another util to delete a user?


    AddUser.exe didn't do anything but add a user account with a few key settings like no password expiration, etc. So please welcome the new improved version. It's now called User.exe. The name had to change as it's purpose has been extended. It slices. It dices. It chops. Ok, I'll stop the informerical. But, now it allows you to add and delete user accounts, and change their passwords via command line.

    So why should I use this versus other options:

    1. It's an .exe format. It's simpler as there's no batch or VBScript to deal with.
    2. It has options to control the popular settings on new user creation like password expiration, add to local administrators group, hide for welcome screen, etc.
    3. The "net user" command doesn't handle passwords longer than 14 characters without a prompting that it doesn't work with systems before Windows 2000. That makes scripting it impossible unless you accept the length limitation. Longer passwords are more secure, of course!
    Run without arguments or with /? to get help.

    Enjoy,

    Matt

    Legacy Forum Name: How-To,
    Legacy Posted By Username: connectex
  • connectex
    The "net user" command doesn't handle passwords longer than 14 characters without a prompting that it doesn't work with systems before Windows 2000. That makes scripting it impossible unless you accept the length limitation. Longer passwords are more secure, of course


    You're maintaining pre Win2k systems!?!

    Legacy Forum Name: How-To,
    Legacy Posted By Username: thirteentwenty