Generating a random password during OSD and save it in SQL

In many scenarios it could to be a great idea to be able to set a randomized password for the local administrator account or create a new user account with local administrative permissions and disable the built-in account. The script can easily be modified to generate a password for another user-name than the local administrator.

This way if you have to give the user or a technician the local admin password to be able to re-join the domain or troubleshoot network connectivity, you are only giving the password to that computer.
To accomplish this I created a vbscript which will generate a randomized password and write it to a table in the MDT database. This script can easily be modified to create a new user account as well and not only to set the password for the local administrator account. It can also be run in a custom task sequence to generate a new password for the local administrator account.

As I don’t want any passwords stored in the script I use a Task Sequence step before the script “Net user /add” to add the service account under which I run the script to the local administrator group and after the script has run I remove it again. So the steps in the TS would look like this.

Locaadmin1

The script can be downloaded here(rename it to localadminpwsql.vbs): Localadminpwsql

Prerequisites:

  • Service Account in AD for this purpose

Implementation:

  1. Create a new table in the MDT database called Ladmin with two columns:
    Computername = nchar(30)  not null
    Localadminpw = nchar(30 not null
    Select the Computername as the primary key. Like this:
    localadmin4
  2. Grant the service account the datareader and datawriter role to the MDT database.
    localadmin3
  3. Download the script and modify the following lines to adapt it to your setup.
    objConnection.Open “Provider=SQLOLEDB;Data Source=sccm01;” & “Trusted_Connection=Yes;Initial Catalog=MDT;”
  4. Create a package containing the setlocaladmin script, and add it to distribution points, don’t create a program.
  5. In your Deployment Task Sequence create three new run command line steps.
    Locaadmin1
  6. Add a Command Line step to add the user to the local administrator group, command line:
    net localgroup administrators contoso\srvlocal /add
  7. Add a Command line step “setlocal admin password” using the following settings, it is here we configure that the command line should run as the service account with local admin permissions.
    localadmin2
  8. Add a step to remove the service account from the local admin group, with the following command line:
    net localgroup administrators contoso\srvlocal /delete
  9. Test run and you are good to go.

I will post a simple .hta which the servicedesk can use to retrieve the local admin password if needed for troubleshooting purposes.

10 Comments

Add a Comment

Your email address will not be published. Required fields are marked *