Kaseya Community

Centralized Admin & Admin Password Management. (Single domain controller for all customers.)

  • In summary, here's what I've got:

    1. net user <account> <password> /add

    2. net user <account> <password>

    3. net localgroup "Administrators" "%COMPUTERNAME%\<account>" /add

    4. net localgroup "Domain Admins" "%COMPUTERNAME%\<account>" /add

    5. netuser <account> /pwnexp:y

    6. Add reg value (DWORD, 0): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\<account>

    Those steps create the account if it doesn't exist, reset the password if it does, adds to appropriate security groups, sets password to never expire, and hides from the welcome screen.

    Am I missing anything?

  • I also have...

    WMIC.EXE /Node:localhost Path Win32_UserAccount Where Name="#NAME#" Set PasswordExpires="FALSE"

    Also I have a check for 64-Bit as I use SET 64-BIT REGISTRY KEY for 64-Bit machines but you maybe able to get away without that.

  • I get the idea of the single account across all sites for technicians to use and I'm happy to create the scripts for and manage that.

    It would be better if Kaseya created and managed (i.e. regularly changed the password of) a local admin account on each agent to use for patching and scripting.  I don't see the need for us all to create scripts and manage it ourselves when we all need to do the same thing.  It seems like and unnecessary overhead and a way to further complicate and already complicated product, especially when competing products don't require a similar thing.

  • This netuser file resolved the issue for me.  Its the only workable solution I found so far for preventing the account created from expiring on domain controllers.

  • Also, I added one more step to my script since my last post: we need to account for our admin account getting disabled. I think this (along with my steps above) covers all possible scenarios and it works great when run on every single agent at once.

    net user <account> /active:yes

  • So..this is an old topic, but we've been working toward using the variables to ensure clients have different passwords from each other.  Using the variables works great...now how do I go about managing credentials for the patching,etc.  Is there a way I can use policy management or some other way to automatically update the clients credentials when I update the variable (password)