How to bulk-change a local user's password on domain-joined computers?

Question

I have a local admin account of each and every client Windows computer. And there are hundreds of them. They are all joint one domain. The DC is running Windows Server 2019.

The password has leaked, and has to be changed on all those computers.

On research, I found out that GPO is no more offering to do this task. Microsoft has already greyed out the password textboxes in Computer Configuration > Preferences > Local Users > New > Local User.

On the other side, LAPS is a sophisticated solution that randomizes the password and change it periodically. I don't want that solution at the moment.

What other option do we have to change this password in bulk?

Answer 1

There are a number of options:

Using PowerShell Script with Group Policy

1. Create a PowerShell Script: Create a PowerShell script to change the local admin password. Save it as Change-LocalAdminPassword.ps1:

      $newPassword = "YourNewSecurePassword"
      $adminUsername = "Administrator"
      $adminUser = [ADSI]"WinNT://./$adminUsername, user"
      $adminUser.SetPassword($newPassword)
      $adminUser.SetInfo()
   

2. Store the Script in a Network Share: Place the Change-LocalAdminPassword.ps1 script in a network share that is accessible to all client computers. Ensure the share has read permissions for the computers.
3. Create a Group Policy Object (GPO): Open the Group Policy Management Console (GPMC) on your Domain Controller and create a new GPO, for example, Change Local Admin Password.
4. Configure the GPO to Run the Script:
   • Edit the newly created GPO.
   • Navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
   • Click on Startup, then Add and Browse to locate your script. Add the path to the PowerShell script in the network share.
5. Allow PowerShell Script Execution: Ensure that the execution policy allows the script to run by configuring the GPO to set the PowerShell execution policy:
   • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell.
   • Enable the Turn on Script Execution policy and set it to Allow all scripts.
6. Link the GPO to the Appropriate OU: Link the GPO to the Organizational Unit (OU) containing the client computers.

Using PsExec

If you need to change the password immediately and cannot wait for the Group Policy to propagate, you can use PsExec from Sysinternals:

1. Download and Extract PsExec: Download PsExec from the Sysinternals website and extract it to a folder.
2. Run the Command: Use PsExec to run the PowerShell command remotely. Open Command Prompt as an administrator and run the following command:

psexec \computername -u domain\adminusername -p adminpassword powershell -Command "([ADSI]'WinNT://./Administrator, user').SetPassword('YourNewSecurePassword')"

You can replace \\computername with a list of computers, or use a script to loop through all computers in a text file.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Hi,

You can use the Set-LocalUser command to set the local user password if you don't want to use GPOs. The script needs to be run as domain administrator.

Invoke-Command -ComputerName "RemoteComputerName" -ScriptBlock {
$Pass = "NewPassword" 
$SecurePass = ConvertTo-SecureString -String $Pass -AsPlainText -Force
$UserAccount = Get-LocalUser -Name "Administrator" 
$UserAccount | Set-LocalUser -Password $Password
}

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/set-localuser?view=powershell-5.1

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.