How do I keep the local admin password consistent across an OU?

password windows active-directory

We have a number of PCs running XP SP2 (and a couple running SP1) already in production, and we're looking to keep the local administrator's password consistent across the OU. The only solutions I can think of would be using pspassword to change all of their passwords, or having a script containing the password run locally on the PCs.

Unfortunately, pspasswd won't work on computers that aren't online and a local script containing the password would be insecure.

Is there any other viable solution? How can I account for computers that aren't online at the time of the password change?


Although there is not a Group Policy setting that can do this, there is a Group Policy Preferences setting that will. More information here: http://blogs.technet.com/askds/archive/2007/11/28/introducing-group-policy-preferences.aspx

Edit: One other option is to use the Passgen utility that Steve Riley and Jesper Johannson (both formerly from Microsoft) wrote for their book "Protect your Windows Network". It actually sets a unique local administrator password for each computer in domain (which is much more secure... if you have them all the same, the compromise of one computer means the compromise of all the computers in your domain). From the description:

In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

Passgen is free, and you can get it here: http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx


I'm not sure what you're looking for here since it would be difficult to deploy a local account password change solution that will 'somehow' work for online and offline computer accounts. The process would be if it's an actual script or GP, for them to get the password change at 'some point' when they're online. If you want to deploy this as a one time action on a certain timeframe, you would have to do the offline computers manually.

I'm sure you've probably read this, but here are some solutions that were suggested in a previous question related to yours: https://serverfault.com/questions/23490/is-there-a-group-policy-that-would-push-a-new-user-name-and-password-to-all-local

Related

Linux: What are the possible values returned by `uname -m` and `uname -p`?
Does DDR3-800 RAM even exist?
Windows Authentication behaves oddly when VPN'd
Thoughts on Linux server file system layout
Running out of swap space on web servers, what to do?
Is MySQL better than PostgreSQL in something?
Is there a way to audit AD for a particular password?
Why is my email server in AT&T's blacklist?
p2v v2v v2p tool from open source? [closed]
Bonjour/mDNS Broadcast across subnets
Effecient organization of spare cables and hardware
Checkinstall failed with /root/rpmbuild has no source directory