- Add a domain user or group to local administrators with PowerShell - Wed, Mar 19 2014
- Create a list of local administrators with PowerShell - Wed, Mar 5 2014
- Remotely query user profile information with PowerShell - Tue, Nov 26 2013
I still remember the days (way back in 2003-2004) when we were asked to change the local administrator password manually on all 2000+ computers in a weekend. Back then, system administrators in my region were pretty far removed from automation. But things evolved greatly after that, and system administrators started using programming languages (like VBScript) to automate tasks. Automation tasks have become much easier these days with the introduction of PowerShell.
So, let us see how we can change the local administrator password for a given list of computers using a PowerShell script.
Changing the administrator password with PowerShell
$password = Read-Host "Enter the password" -AsSecureString
$confirmpassword = Read-Host "Confirm the password" -AsSecureString
$pwd1_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.
InteropServices.Marshal]::SecureStringToBSTR($password))
$pwd2_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.
InteropServices.Marshal]::SecureStringToBSTR($confirmpassword))
if($pwd1_text -ne $pwd2_text) {
Write-Error "Entered passwords are not same. Script is exiting"
exit
}As you will notice in the above code, I am prompting to confirm the password twice so that it won’t be entered wrong and cause the script to run again. I am also reading the password in a secure manner so that no one else can see it when it is being typed. Once the password is confirmed, the next two lines of dotnet code convert the password into plain text for comparison. If the comparison fails, the script exits; otherwise, it continues.
Now that we have the password, it is time to read the list of computers from a text file.
Reading list of computers
if(!(Test-Path $InputFile)) {
Write-Error "File ($InputFile) not found. Script is exiting"
exit
}$Computers = Get-Content -Path $InputFile
Before reading the text file, I am doing a small check to see if that file exists or not. If the file is not found, the script exits. Otherwise, the script reads the contents of the file using the Get-Content cmdlet and stores the list in an array called $computers.
Now that we have the list of computers, we can start changing the password for each computer. That is what the below code does.
Chaging the password on multiple computers
foreach ($Computer in $Computers) {
$Computer = $Computer.toupper()
$Isonline = "OFFLINE"
$Status = "SUCCESS"
Write-Verbose "Working on $Computer"
if((Test-Connection -ComputerName $Computer -count 1 -ErrorAction 0)) {
$Isonline = "ONLINE"
Write-Verbose "`t$Computer is Online"
} else { Write-Verbose "`t$Computer is OFFLINE" }
try {
$account = [ADSI]("WinNT://$Computer/Administrator,user")
$account.psbase.invoke("setpassword",$pwd1_text)
Write-Verbose "`tPassword Change completed successfully"
}
catch {
$status = "FAILED"
Write-Verbose "`tFailed to Change the administrator password. Error: $_"
}
$obj = New-Object -TypeName PSObject -Property @{
ComputerName = $Computer
IsOnline = $Isonline
PasswordChangeStatus = $Status
}
$obj | Select ComputerName, IsOnline, PasswordChangeStatus
if($Status -eq "FAILED" -or $Isonline -eq "OFFLINE") {
$stream.writeline("$Computer `t $isonline `t $status")
}
}I am looping through each computer account in the array and first checking if it is online or not by using the Test-Connection cmdlet. This cmdlet does a ping check by sending one ICMP packet to the computer. If the ping is successful, the script changes the password. To do that, I am using the WinNT interface, which is pretty famous from VBScript days. After I get the reference to the administrator account, I invoke a method called SetPassword to change the password. If the password change fails, the respective error will be recorded using the catch block.
That’s it. The script has done its job and you will see the result in the console.
As you’ll notice in the output, the script creates a list of computers where the password has failed. The file "failed-computers.txt" is stored in the directory where the script picked up the computers list. If you want to provide a different directory where you want to store files, just pass the directory name to the -OutputDirectory parameter while executing the script.
Download the complete script from here.
A few tips for using this script
Type “Get-Help .\Update-LocalAdministratorPassword.ps1 -Detailed” in a PowerShell console for help.
- Use the -Verbose switch from the command line if you want to see the debug information and error messages at each stage.
- Passing the file name to the script is optional. The script will prompt you for the file if you don’t pass it.
- Using this script, you can change the password of any local account. Just replace “administrator” with the account name for which you want to change the password.
Hi,
That’s a useful technique but is it really a good idea to be using the same password for the local administrator account on multiple machines?
Regards,
Jason
I have seen many corporates using the same local administrator password for all their desktops. It is definitely not a best practice IMO, but having different password for each desktop increases the administrative work if we have more no. of desktops.
Will the password be sent clear text over the network since you convert it to do the compare?
Yes, it will be sent as clear text only. The “setpassword” invoke method I used in the script accepts the password in plain text format. The reason I am reading the password as secure string is to ensure that no one sees the password(or not readable from console cache if exists) while entering it.
Is it possible to change to a unique password for each server, by using the text file which will already include a different password manually inputed next to the name of each server on the list.
I clicked on the link to download the script “here”… when I do it shows a full page of txt, so I copy it and paste into my ISE and it pastes as one Loooong line. How do i break it up and get it to display correctly in my ISE so as to not “break” the function of the scripts?
Dave, I just tried it in Chrome and I didn’t have the problem. You could also right click the link and save the ps1 file.
I had a slight issue when I tweaked the username from “Administrator” to “admin”. For some reason logging in as admin shows Preparing Desktop, then black, then Logging Off and takes you back to the login. I was able to resolve it by deleting the account and readding it through lusrmgr.msc but was wondering if there’s something I’ve missed.
How should the computer list text file be formatted, one entry per line, space separated, comma separated?
I ran the script and it ended up changing the password of the Domain Administrator not the local administrator. I did not modify the script in any way.
Never mind, fixed my issue. Thanks for the script!
@Dave, Whats the issue and fix? You might want to share it to help people who commit the same.
@Matthew Cooper, Apologies for late reply. It is one computer name per line.
Hi Sitaram Pamarthi ,
Will be nice if this scipt input file like format below
Computer name Password
PC1 123456
PC2 Summer!
Very helpful if scirpt able input computer and password at same time
I am getting a “you cannot call a method on a null-valued expression” error while running the script for line “$stream.writeline(“$Computer `t $isonline `t $status”)”
any thoughts?
Close to what I need, but I’d like to be prompted for the password, have the password displayed and it say “are you sure this is correct?”, if I click OK, prompt me for the name of the PC. When I type it in and click OK, have it ask me once more, “Do you wish to continue?” and when I click OK, go and change the remote password. Then ask me if I’d like to change another, and loop back (or just ask me a new computer name using the same password where I could cancel if I were done).
Thanks
Thank you a lot for that script, it worked like a charm!! If you want to modify other users, you should simply change the “Administrator” name. Each line a computer/server, i just exported a list out of our ESX-Serverfarm and copied it in a plain text file.
Thanks for the script! Very useful! It would be nice if the account was not available or setup on the local machine, the script creates it and sets the account password specified. Thanks again!
I am getting a “you cannot call a method on a null-valued expression” error while running the script for line “$stream.writeline(“$Computer `t $isonline `t $status”)”. what can i do to fix it?
this is my error when i run the script.
You cannot call a method on a null-valued expression.
At D:\\ProcessPhotos_2.ps1:41 char:4
+ $stream.writeline(“$Computer `t $isonline `t $status”)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
how can i fix it?
Thank you! Nice script! 🙂
i tried this script, but it didnt gave me any output. no error , no output.
I can see this being a great script if I could get it to work! I keep getting this:
VERBOSE: Working on HERALD-LP10
VERBOSE: HERALD-LP10 is Online
VERBOSE: Failed to Change the administrator password. Error: Exception calling “Invoke” with “2” argument(s): “The password does not meet the password policy requirements. Check the minimum password length, password complexity
and password history requirements.
”
Password requirements are set at the default, and I can set the local administrator password manually without generating this error.
Hi! Great script! One question though… is there a way to go about encrypting the password?
Hi !!
Sitaram Pamarthi, nice script thanks!
i have an error
how i add the credentials with administrative privilegies i think i for that the error
my output is:
computername isoline passwordchangestatus
xxxxxxxxx ONLINE FAILED
any idea?