Kaseya Community

Local Administrator

  • I have been trying to write a script, unsuccessfully so far, that will take my company's admin account and make it a local administrator on our client's machines. Several client's are on a domain and our account is a domain admin, (or should be, I am also double checking that). The reason behind this it our account has three or four different passwords depending on the client and we want to set one global password for our account. I have a successful script to reset the password but always get access denied, found out it is due to not being a local admin. Does anybody have ideas or a successful script to accomplish this? There is in excess of 800 machines. Thanks.

    Legacy Forum Name: Local Administrator,
    Legacy Posted By Username: JonJohnston
  • JonJohnston
    I have been trying to write a script, unsuccessfully so far, that will take my company's admin account and make it a local administrator on our client's machines. Several client's are on a domain and our account is a domain admin, (or should be, I am also double checking that). The reason behind this it our account has three or four different passwords depending on the client and we want to set one global password for our account. I have a successful script to reset the password but always get access denied, found out it is due to not being a local admin. Does anybody have ideas or a successful script to accomplish this? There is in excess of 800 machines. Thanks.


    net localgroup Administrators %UserDomain%\UserID /add

    where UserID is the ID of your admin account.

    Michael

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: RCS-Michael
  • Well I had tried that. Currently my script looks like the following.
    Step one. execute shell command.
    net localgroup administrators myaccount /add
    execute as sytem.

    Step two. execute shell command.
    net user myaccount password /expires:never /add
    execute as user.
    End script.
    I keep getting erros on the change password part as the local admin part is not working. Going by your command I must include the domain also? Even though am wanting to just change the local admin?
    Thanks.

    Update: I just ran the local admin add from a command prompt on a machine and keep getting the same system error has occurred. Acess is denied. I tried including the domain name and recieved the same error.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: JonJohnston
  • I am looking for a way to change several locations local admin account password I thought I would post since your very close to what I am trying to do

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ttokar
  • JonJohnston
    Well I had tried that. Currently my script looks like the following.
    Step one. execute shell command.
    net localgroup administrators myaccount /add
    execute as sytem.

    Step two. execute shell command.
    net user myaccount password /expires:never /add
    execute as user.
    End script.
    I keep getting erros on the change password part as the local admin part is not working. Going by your command I must include the domain also? Even though am wanting to just change the local admin?
    Thanks.

    Update: I just ran the local admin add from a command prompt on a machine and keep getting the same system error has occurred. Acess is denied. I tried including the domain name and recieved the same error.


    What context is the command running under? Local or domain? You might be having a problem if it is not a domain account with it being able to access the domain to get the account information to make it part of the group.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: trebligb
  • ttokar
    I am looking for a way to change several locations local admin account password I thought I would post since your very close to what I am trying to do


    Remote control Tab, Reset Password function

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: trebligb
  • trebligb
    What context is the command running under? Local or domain? You might be having a problem if it is not a domain account with it being able to access the domain to get the account information to make it part of the group.



    Well I actually did some looking late last night and was able to reset the local admin password through Kaseya (remote control, reset password). I knew this was there but was not sure it would work how I wanted, but it did. I also checked the option to set as administrator, and it appears it did change our administrator account to a local admin on the test machine. So this part looks like it is accomplished.
    Now however I am back to another issue. I am also wanting a script that I can run on a domain controller to change our domain admin password. From what I have found the command should like like this: net localgroup administrators %userdomain%\%username% /ADD.
    Also I know that the domain name is stored in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\DefaultDomainName.
    SO I should be able to incorporate the two together and have a script that looks at the registry key, finds the domain name, and enters that accordingly per each domain to change the password?
    Correct me if I am wrong on this and thanks for your help so far.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: JonJohnston
  • thanks the remote control page does allow for local administartor account managment. Strange place to put it but it works

    TY

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ttokar
  • 1tjMFE http://fhYj30Mxb55m1SpveOxt.com


    [edited by: Anonymous at 7:00 PM (GMT -8) on 2-15-2011] 1tjMFE http://fhYj30Mxb55m1SpveOxt.com
  • XeviouS
    You have the two steps out of order. Swap them.

    You need to create the user account first and then add it to the local administrators group.



    The account is already created. That is why I was trying to set as a local admin and change the password. However I was able to successfully do this using the Kaseya change password, it only does it for the local account.
    Now I am trying to get the domain account password reset through a script and it appears, although I have not fully tested it, that using the following command in a script will reset the domain password.
    net localgroup administrators %userdomain%\%username% /ADD

    The domain is automatically found and filled in and the username is our admin account name. I am going to try and test this today and double check it. Thanks for all your help.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: JonJohnston
  • I would like to say thank you to everybody who replied, your help is appreciated. I was able to get a successful script.
    To change the domain password of an user account:
    execute shell command
    net user username password /expires:never
    execute as user

    This successfully ran on about 30 domain controllers and reset our domain account password. This must be ran on the domain controller.

    I have also solved the original issue with setting as a local admin, this is done from the remote control, reset password option in Kaseya.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: JonJohnston
  • JonJohnston
    I would like to say thank you to everybody who replied, your help is appreciated. I was able to get a successful script.
    To change the domain password of an user account:
    execute shell command
    net user username password /expires:never
    execute as user

    This successfully ran on about 30 domain controllers and reset our domain account password. This must be ran on the domain controller.

    I have also solved the original issue with setting as a local admin, this is done from the remote control, reset password option in Kaseya.


    Be aware that this "expires" flag does not set the password to not expire; it sets the user ID itself to not expire.

    Michael

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: RCS-Michael
  • [QUOTE=RCS-Michael;36391]Be aware that this "expires" flag does not set the password to not expire; it sets the user ID itself to not expire.

    Michael[/QUOTE]


    That I did not know. I was told that would set the password to not expire. I am going to look and see if I can find the correct syntax to set the password to never expire, the thing is some of our clients have a global group policy to force a password change every 90 days so setting the never expire option is almost pointless.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: JonJohnston
  • I've been fooling with the net localgroup command line, and now have a similar command for adding the Domain Users group to the local Administrators group for domain-based computers...

    net localgroup "administrators" %userdomain%"\domain users" /add

    This is handy for small companies that want all their users to be admins on the local machines.

    Don't use this on a Terminal Server though, or you'll be getting calls in teh middle of the night

    "Oops, I seem to have turned off the server, and now nobody can get in..."

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: rspaldi
  • Quick note, if your company's domain administrator password is simply a renamed Administrator account from AD, you're probably going to have services using this account and you'll start getting weird failures if you change this without updating these services.

    Cheers,

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: LANWorx