Change/set local admin password on all servers

The local admin password on our servers had not been changed in 10 years – I decided it was time to change it. My first instinct was to use Group Policy as it is easy and I have done it in the past. My colleague soon pointed out this recent MS article he came across. It states that Group Policy should not be used to set the password and that in recent updates they grayed out the option. Interestingly enough, I was still able to set this setting using the GP MGMT console from my PC- I must not have had the update that grays it out. (From the DC it was grayed out.)

Anyways, a little searching and I came across this script on technet. It was exactly what I was looking for. This script is very simple and you do not have to change or edit anything in it – you just need to pass the proper parameters.

First, I created another script to build the list of servers/machines that I wanted to change the password on. I did so by running the following script/commands:

____________________________________________________

CLS
Import-Module activedirectory

$report = @()
$servers = get-adcomputer -LDAPFilter "(operatingSystem=Windows*Server*)" -SearchBase "DC=<enter path>,DC=<enter path>,DC=<enter path>"
$servernames = $servers | select-object -expandproperty name | sort

foreach ($S in $servernames)
{

$in = @{}
$in.ServerName = "$S"
$out = new-object -TypeName PSObject -Property $in

$report += $out
}
$report | Export-Csv -path \\<ENTER PATH>\computers.csv -NoTypeInformation -Force

_________________________________________________________

This script will export all Windows Servers in your domain to a csv. (be sure to enter a domain path and a path for the csv). I took that csv and omitted the first line so all I had was a list of server names.

Once you have your list of servers, simply run the set-password script and pass parameters to it like so:

set-password -computer (get-content "computers.csv") -user administrator

If you wish to just change the password on one computer, just put the name in like so:

set-password -computer <computername> -user administrator

This script did not take much time at all to change the password on approx. 200 machines.

*Please note* - You will have to run the script as a user that is a local admin on all the machines you are trying to set the password on - I used a domain admin. Also, make sure the computers.csv is in the same location as set-password.ps1.

Have fun!

akers8806

Leave a Reply

Your email address will not be published. Required fields are marked *