Is there a group policy that would push a new user name and password to all local machines on a network?

I work on a small network that runs on windows server 2003, and with machines running xp. Is there a group policy that could push a new user name and password to replace our old local administrator user accounts?


I use pspasswd from sysinternals.

http://www.microsoft.com/technet/sysinternals/Utilities/PsPasswd.mspx

Here is a user automating it:

http://forum.sysinternals.com/forum_posts.asp?TID=9469

Edit:

I also just found this which is exactly what you are asking for:

http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-a6bbce0a4304&ID=505


I use a computer startup script to do this for local "Administrator" passwords, combined with a "trap door" group membership so that the script only runs once.

  • Create a group in the AD - "Local Administrator Password Set". Modify the permissions on the group to allow "Domain Computers" to "Add/Remove Self as Member".

  • Create a new GPO, "Set Local Administrator Password" and link it wherever you want in the directory. Modify the permission on the GPO to DENY "Apply Group Policy" to members of the "Local Administrator Password Set" group. Remove the "Authenticated Users" from the stock permission and add "Domain Computers" with "Read" and "Apply Group Policy" permission.

  • Add a startup script to the GPO with:

    NET USER Administrator new_password_here NET GROUP "Local Administrator Password Set" %COMPUTERNAME%$ /ADD /DOMAIN

  • Link the GPO wherever I want it to apply.

(I really enjoy doing "trapdoor" scripts like this. I use them to run SYSOCMGR the first time a new PC is joined to the domain, etc.)


Password, no; you can, however, set the Administrator username using GP. It's under:

  • Computer Settings
  • Windows Settings
  • Security Settings
  • Local Policies
  • Security Options

Find the one called "Rename administrator account", and change it to whatever you want.

For re-setting the password, we've simply set them all on installation to ridiculously long strings, then created a "Workstation Admin" group in Active Directory; then, using Group Policy, go to:

  • Computer -> Windows -> Security -> Restricted Groups

Add the new group, and make them a member of "Administrators". So long as your PCs are joined to the domain, and you give your techies membership of this group, they can log on using their personal Active Directory accounts, rather than sharing a local administrator account (which gives you much more accountability!).

Your mileage may vary when using this technique on laptops or machines that are often disconnected from AD, of course.

Hope that helps!