Reset password for renamed Administrator account

StackOverflow https://stackoverflow.com/questions/1511211

Question

I need to create a .VBS script to reset the Windows local administrator password on a large group of computers. My problem is that some of our sites have renamed the administrator account for security reasons. Does anyone have a script which changes the password of the administrator account based on the SID of the original Administrator account?

Was it helpful?

Solution

Using the fact that local admin's SID always ends with -500:

strComputer="."    ' local computer by default   
Set objUser=GetObject("WinNT://" & strComputer & "/" & GetAdminName & ",user")     
objUser.SetPassword "New local admin password"     
objUser.SetInfo 

Function GetAdminName   
  'This function was written using information from Table J.1 from the Windows XP resource Kit
  'http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnc_sid_cids.asp

  Set objNetwork = CreateObject("Wscript.Network") 'get the current computer name 
  objComputerName = objNetwork.ComputerName    
  Set objwmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & objComputerName)

  qry = "SELECT * FROM Win32_Account where Domain = '" & cstr(objComputerName) & "'" 
  'set query, making sure to only look at local computer

  For Each Admin in objwmi.ExecQuery(qry)   
    if (left(admin.sid, 6) = "S-1-5-" and right(admin.sid,4) = "-500") then 'look for admin sid
       GetAdminName = admin.name
    end if   
  next    
end Function

OTHER TIPS

There's a tool floating around somewhere called LookupAccountName (with source!) that given the SID of the builtin adminitrator will give you its name.

You're probably going to end up writing C++ code to pull this one off reasonably well.

Like Joshua says, I don't think you can do this with windows scripting host only, you could use it download something and execute it:

  • A custom app that calls LookupAccountSid(S-1-5-domain-500 SID or enum admin group)+NetUserSetInfo to reset the password (Needs to run this as admin)
  • http://home.eunet.no/pnordahl/ntpasswd/ (Reset at boot)
  • Dump the SAM hashes and crack the password (Cain,John the Ripper,L0phtCrack etc)

@DmitryK's answer is good, and I didn't know any of that stuff. But I do know that this sort of thing is usually cleaner in PowerShell, so I ported it.

For example, the whole GetAdminName function can be written:

$adminName = (gwmi win32_account | ? { $.SID.StartsWith( 'S-1-5-' ) -and $.SID.EndsWith( '-500' ) }).Name

(Add the -ComputerName option to the gwmi call to do this on a server.)

The rest becomes:

$user = ([ADSI]"WinNT://$($env:COMPUTERNAME)/$adminName,User")
$user.SetPassword( 'xxx' )
$user.SetInfo()

(applying the appropriate computer name as needed, of course.)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top