- Parse a list of server names
- Verify the server is online
- Only try to change the password if it is online
- Tell me if it succeeded, failed, or skipped a down system
Fortunately, all of this is available in Powershell with little real effort. Below is a quick script to do all of the above. Before running it, be sure that:
- The account you're running it under has administrative rights to each system. If you're spanning domains without trusts, you should use the "Stored Usernames and Passwords" control panel to add your credentials for each domain (specify the resource as *.domain.name, and use FQDN's in step 2).
- You create a list of servers, one per line, called "serverlist.txt" in the same folder from which you run the script (you can change the filename and path by editing the script below).
- You change the placeholders below to have the proper local admin username and new password (we have a GPO to rename the administrator account, so I don't assume "Administrator")
The script:
$erroractionpreference = "SilentlyContinue"
foreach ($Computer in get-content serverlist.txt) {
$ServerName = $Computer.ToUpper()
$ping = new-object System.Net.NetworkInformation.Ping
$Reply = $ping.send($Computer)
if($Reply.status -eq "success") {
Write-Host "$ServerName is online"
$Admin=[adsi]("WinNT://" + $Computer + "/--ADMINUSERNAMEHERE--, user")
$Admin.PSBase.Invoke("SetPassword", "--NEWPASSWORDHERE--")
# Verify password was just changed
$PasswordAge = $Admin.PasswordAge
If($PasswordAge -ne $null) {
Write-Host "$ServerName password change SUCCEEDED"
} Else {
Write-Host "$ServerName password change FAILED"
}
} Else {
Write-Host "$ServerName is not online - skipping"
}
}
11 comments:
I've run the script, but keep getting the failed error message. Not finding anything in the logs on either the source or target machine to indicate why it is failing. Any suggestions as where to look?
Sure. Did you change the portions for the administrator username and password, making sure the adminsitrator username is the current admin username (this doesn't rename) and ensuring to not remove the "/" in the script?
I.e. if my local admin username is "Administrator" this line should be:
$Admin=[adsi]("WinNT://" + $Computer + "/Administrator, user")
Also, you have to be running this as an account that has administrative rights to the remote system. I.e. the machine you're running this from must either be on the domain or a member of a trusted domain and your account must be a local admin on those boxes (i.e. a Domain Admin).
You can test this by opening a command prompt and trying to run "dir \\servername\admin$" If that doesn't work, you need to either run this from a machine/account that is a member of the domain or trust, or set up your "Stored Usernames and Passwords" control panel to cache credentials. See http://support.microsoft.com/kb/306541
If passwordAge equals null, the password change is successful
I don't know why, but today it worked. I haven't changed anything.
So I just reset the password to something else, and went to run the script again. Now it fails. This is wierd.
Is there a log somewhere to check for what is going on?
Ok, rebooted the target machine, tried again, and it works. Funky.
Still playing with this. I can't figure out why sometimes it works and other times it doesn't. Launching from W7, trying to change a 2008 R2 and 2003 R2 machine. The 08 worked a couple of times, but not every time. 2003 not yet.
Other than looking for errors on the target servers' event log (i.e. security log, see if your attempt is getting denied access) there are no logs I can think of.
I've used this to change 2003, 2008, and 2008 R2 passwords, but each time I was running from a machine in the same domain as the targets and as a domain admin.
Can you verify if the password actually changed even if you get the failed message? This really is a quick and dirty script and it worked for me but I've a rather vanila domain setup. If you want to give me some more idea about your environment and how you're running this I might be able to help. you can email me at aarondodd at gmail dot com.
Hi, is there any way to modify this to work on a local machine? We don't have a domain set up and it seems that every script is made for domains... we want to just run the script on each machine locally/manually to change a password. Thoughts?
There is nothing domain-specific in this script. You just need to be an admin of the machine you're running this on. To do this to the local machine, $Computer would be your local computer name (i.e.: "$Computer = $env:COMPUTERNAME" or just replace $Computer with $env:COMPUTERNAME)
Post a Comment