Change Password on non-local admin Account on all workstations

rr-4098 1,641 Reputation points
2024-11-09T19:14:23.08+00:00

I know you used to be able to change the password on local accounts but believe this was stopped since the password was in clear text. Anyway I need to change the password on a local user account on all workstations. Is my only option to use a powershell script???

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,735 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Marcin Policht 28,395 Reputation points MVP
    2024-11-09T19:31:32.9933333+00:00

    You can use LAPS - although this is likely is more than what you're looking for.

    Details at https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview

    The simplest approach would be to use Group Policy Preferences

    Follow https://community.spiceworks.com/t/changing-local-accounts-and-passwords-using-gpo/1007449


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin


  2. rr-4098 1,641 Reputation points
    2024-11-11T16:04:45.81+00:00

    It looks like Microsoft has grayed out the option to change a local account pwd via GPP.

    0 comments No comments

  3. Marcin Policht 28,395 Reputation points MVP
    2024-11-11T18:28:11.62+00:00

    Reconsider your options - here are a few suggestions:

    1. Using PowerShell Remoting: You can remotely execute PowerShell commands on multiple workstations using PowerShell Remoting. This method allows you to change the local user password securely on all workstations.

    Steps:

    • Enable PowerShell Remoting on all workstations:
      • Run the following command to enable remoting (do this on each workstation or via Group Policy if needed):
         Enable-PSRemoting -Force
      
    • Change the Local User Password Remotely: Once PowerShell Remoting is enabled, you can use Invoke-Command to change the password on remote machines. Example PowerShell script to change the password on multiple workstations:
         $computers = @('Workstation1', 'Workstation2', 'Workstation3')  # List of computer names
         $username = "LocalUser"  # The local account to update
         $newPassword = "NewSecurePassword123"  # New password
         
         $scriptBlock = {
             param($username, $newPassword)
             $user = Get-LocalUser -Name $username
             $user | Set-LocalUser -Password (ConvertTo-SecureString $newPassword -AsPlainText -Force)
         }
         
         # Run the script on remote machines
         foreach ($computer in $computers) {
             Invoke-Command -ComputerName $computer -ScriptBlock $scriptBlock -ArgumentList $username, $newPassword
         }
      
      • This script connects to each workstation listed in $computers, then changes the password for the specified local user account ($username).
      • You can expand the $computers array with the names of all the workstations in your environment.
    1. Using Task Scheduler: If remoting isn't possible or you want a more "hands-off" approach, you can use Task Scheduler to run a script that changes the password on multiple workstations.

    Steps:

    • Create a PowerShell script (similar to the one above) that changes the local user password.
    • Use Group Policy to create a task on the workstations that runs this script at a specified time or when the user logs in.

    This approach is useful for environments where remote PowerShell execution may not be possible, but it's a little more complex to set up.

    1. PSExec: If you're managing a large number of workstations, there are third-party tools designed for local account management that can simplify this process. Examples include:
    • PsExec: A powerful tool for remotely executing commands, similar to PowerShell Remoting but with different options for authentication and remote command execution.
    • System Center Configuration Manager (SCCM): If you're using SCCM to manage your workstations, you can push scripts to change local account passwords as part of a configuration task.

    Example: Changing Password with PsExec

    Invoke-Command -ScriptBlock {
        net user "LocalUser" "NewSecurePassword123"
    } -ComputerName "Workstation1" -Credential "Administrator"
    
    1. Manual Approach

    If you only need to change the password on a few workstations and remoting or automation isn't feasible, manually changing the password is still an option:

    • Use Local Users and Groups (compmgmt.msc) to change the password on each workstation.
    • Use net user command locally on each workstation:
         net user LocalUser NewSecurePassword123
      

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.