Tuesday, December 18, 2012

AD 2008R2 - Setting Local Administrator Password via GPO

When you are managing a large environment, changing the local administrator password on a regular basis can be challenging. There are various tools out there and you can do it with scripting but the easiest way to do it is by using Group Policy. In this segment I am going to walk through the process of setting up the GPO.

Create the GPO:
On your Domain Controller go ahead and open up Group Policy Management. Drill down to the domain where you want to create the policy and expand Group Policy Objects. Right Click in the active window and Select New. Lets call the GPO Local Admin PW. Click OK

Edit the GPO:
You should see the newly created GPO in the active window. Right Click on it and Select Edit. In the Group Policy Management Editor, drill down to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. Right Click on Local Users and Groups and Select New > Local User.

For the Action Select Update. In the User name: type Administrator. Type and Confirm the new password you want applied. Uncheck all but Account never expires and Click OK
*Note - This is also a great way to get rid of any local accounts that are out there that are no longer needed. Under Action Select Delete, enter the account name then continue with the steps below.

Back on the Group Policy Management Editor you will see the new Administrator user element has been created in the Active Window. Go ahead and close this and go back to Group Policy Management.

Apply & Test the GPO:
Next we need to apply the GPO to the OU that that has the computers which will receive it.

*Caution - You should test all GPO's in a lab environment or on a Test OU BEFORE applying them to the live production environment to ensure you will achieve the desired outcome.

In the navigation tree simply drag the Local Admin PW GPO to the computer group you want it to be applied to. You will be prompted to link the GPO to the OU. Click OK

The final step is to test the GPO. Log into a machine that is in the OU you applied the GPO to and open a command prompt. Run the following:
gpupdate /force

Log out of the computer and log back in as the Administrator using the new password.


More to come!

If you like this blog give it a g+1

No comments:

Post a Comment