Rename Local admin and set password on many servers.

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of TheDon TheDon 1 year, 2 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #28668
    Profile photo of TheDon

    I'm new to PS and have pieced together a simple script that works on my lab. I'm interested in adding additional functionality and think the finished product is one that may be useful to many network admins.
    Basically I wanted to change the local administrator account to a new name, and set the password.
    The 2 ways I see to do this is to either deploy via a product like SCCM to a target group, or just execute from my computer as a domain admin pulling the servers from a txt file.
    What I have so far that does work;

    #Sets User Password and enables account.
    invoke-command { net user NewName Adm.Passwordxxxx /active:Yes } 

    Assuming I wanted to use SCCM how would i check and apply if there were 2 possible admin names like Administrator OR ChangedAdmin accounts (if/else?).
    Would the above work or do you see some real world deployment issues?
    I know this is probably very easy but as I am new to PS I thought I ask for help here.

    Profile photo of Rob Simmers
    Rob Simmers

    What you are trying to do is a pretty common task, so there is probably a lot of knowledge on the internet about this task, I quickly found this function from Jeff Hicks that will set a password and enable\disable the account.:

    You can certainly use net user commands or try to leverage a strictly Powershell solution. The biggest differentiator will be the amount of logging you can do with Powershell versus using a command-line utility. You could update this function with the ability to rename the account to a new name as his solution is using ADSI as well.

    One thing the function is asking for is the name of the administrator account. For this you can leverage WMI to get the account based on the SID:

    Get-WMIObject -Class Win32_Account -Filter "LocalAccount = True And SID Like '%500%'"

    Make sure you are developing and testing the function on a computer with the lowest version of Powershell (e.g. 2.0) to ensure all functionality will work on all systems. For instance, if you used Get-CIMInstance versus Get-WMIObject the Powershell version would need to be 3.0.

    Edit: Also, as far as how to doploy the script is really at your discretion. If you have SCCM, you should certainly leverage it. If you do decide to do this by doing RPC calls to remote systems, you can do that by using Invoke-Command or passing a computer name like the function is doing. Consider making the task a Powershell Job so that you are connecting to multiple systems at one and not one at a time.

    Profile photo of TheDon

    Thank you for your quick reply, and you make an excellent point with the PS versions as we do have some older legacy servers. This would be a best effort scenario and the servers that had an error will have to be changed by hand. I was planning on using the results of the SCCM deployment to determine which would need to be touched.
    I know that some of the servers already have had the local administrator accounts name changed so I was interested in adding in the code that would try one account then the other else throw an error.
    If local administrator account names "Administrator" exist then execute name change/password set and activate,
    If Local administrator account named "NewName" exists then execute name change/password set and activate,
    Else error out.
    Clearly I started playing with PS yesterday and really don't know where to start except that the code I included in the Original post does exactly what i need it to, it just doenst account for the 2 accounts.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.