Professional Documents
Culture Documents
i) ii) In your GPO manager create a new GPO or edit your Default GPO policy. Then under Computer configuration go to Preferences then go to Control Panel setting then go to Local users and Groups from there you can Set the local admin password and Disable all other local accounts you can also add a security group to your Administrators groups as well
1. There is a Group Policy Preference (GPP) that can do it for you Changing the local Administrator password on domain members has become pretty easy with the advent of Group Policy Preferences. Start the Group Policy snap-in, expand Computer Configuration, expand Preferences, click Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User. Select Update as the action, type Administrator into the User name text box, then type the new password into the Password text box, confirming the password in Confirm Password text box. Press OK. 2. You can script it This script will change your local Administrators passwords to the one you specify. (Note that you'll need to encrypt this one using Microsoft script encrypter if your users shouldn't be able to read it in clear text.)
Set WshNetwork = WScript.CreateObject("WScript.Network") strComputer = "." Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user") objUser.SetPassword "NEW.PASSWORD" ' Enter new password between brackets objUser.SetInfo
Best way to use this script is to run it using the Startup script option in a Group Policy object, since these scripts run with the credentials of the Local System account. Start the Group Policy snap-in, expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), and then in the right pane, add a script.
Set colAccounts = GetObject("WinNT://" & strComputer & "") colAccounts.Filter = Array("user") Message = Message & "Local User accounts:" & vbCrLf & vbCrLf For Each objUser In colAccounts If objUser.Name <> "Administrator" AND objUser.Name <> "ASPNET" Then Message = Message & objUser.Name If objUser.AccountDisabled = TRUE then Message = Message & " is currently disabled" & vbCrLf Else Message = Message & " was enabled" & vbCrLf objUser.AccountDisabled = True objUser.SetInfo End if End If Next ' Initialize title text. Title = "Local User Accounts By Andrew Barnes" objShell.Popup Message, , Title, vbInformation + vbOKOnly
Save the script to a .vbs file and deploy it to a startup script or user logon script. You can configure it at: GPO-->Computer Configuration-->Windows Settings-->Script-->Startup Or GPO-->User Configuration-->Windows Settings-->Script-->Logon For more information please refer to following MS articles:
Startup, shutdown, logon, and logoff scripts http://technet.microsoft.com/en-us/library/cc739591(v=WS.10).aspx Create System Startup / Shutdown and User Logon / Logoff Scripts http://technet.microsoft.com/en-us/magazine/dd630947.aspx