In many scenarios it could to be a great idea to be able to set a randomized password for the local administrator account or create a new user account with local administrative permissions and disable the built-in account. The script can easily be modified to generate a password for another user-name than the local administrator.
This way if you have to give the user or a technician the local admin password to be able to re-join the domain or troubleshoot network connectivity, you are only giving the password to that computer.
To accomplish this I created a vbscript which will generate a randomized password and write it to a table in the MDT database. This script can easily be modified to create a new user account as well and not only to set the password for the local administrator account. It can also be run in a custom task sequence to generate a new password for the local administrator account.
As I don’t want any passwords stored in the script I use a Task Sequence step before the script “Net user /add” to add the service account under which I run the script to the local administrator group and after the script has run I remove it again. So the steps in the TS would look like this.
The script can be downloaded here(rename it to localadminpwsql.vbs): Localadminpwsql
Prerequisites:
- Service Account in AD for this purpose
Implementation:
- Create a new table in the MDT database called Ladmin with two columns:
Computername = nchar(30) not null
Localadminpw = nchar(30 not null
Select the Computername as the primary key. Like this:
- Grant the service account the datareader and datawriter role to the MDT database.
- Download the script and modify the following lines to adapt it to your setup.
objConnection.Open “Provider=SQLOLEDB;Data Source=sccm01;” & “Trusted_Connection=Yes;Initial Catalog=MDT;” - Create a package containing the setlocaladmin script, and add it to distribution points, don’t create a program.
- In your Deployment Task Sequence create three new run command line steps.
- Add a Command Line step to add the user to the local administrator group, command line:
net localgroup administrators contoso\srvlocal /add - Add a Command line step “setlocal admin password” using the following settings, it is here we configure that the command line should run as the service account with local admin permissions.
- Add a step to remove the service account from the local admin group, with the following command line:
net localgroup administrators contoso\srvlocal /delete - Test run and you are good to go.
I will post a simple .hta which the servicedesk can use to retrieve the local admin password if needed for troubleshooting purposes.
Since it looks like you are using MDT, why not store it in the MDT-database, table is called Settings and column AdminPassword…
If you store it early in the TS the MDT will take care of setting the password for you… 🙂
That’s a pretty cool way of solving the problem of local admin passwords.
There was an Atea consultant who gave me a slightly more complex solution to this which involved using SP’s to check for database connectivity etc. for my SCCM environment but now I am debugging it so I can run it as a task every x days (to follow our standard AD password policy).
Hi Jörgen , thanks for the great article. I have setup MDT 2012 + SCCM 2012. I am trying to call a script to generate random password of local administrator account and store it in a database. I have created a package for the script and updated the distribution points. I am calling the script at the end of task sequence just before copy logs and restart functions.
Incorrect function. (Error: 00000001; Source: Windows)]LOG]!>
Looking for suggestion on what am I doing wrong. The smsts.log is uploaded here – https://www.dropbox.com/s/vpl2yuy41ujv8ju/smsts.log
I also checked the dp and the vbs file does exist there.
I had by mistake typed a wrong spelling in run command task. The issue is gone now.Thanks anyways..
Hi Jörgen Nilsson,
This script working with SCCM2007R3 servers, kindly update the step by step preachers.
What is this “sqllocal.vbs? Shouldn’t there be the script localadminpwsql.vbs?
Hi,
That is correct, I used a different name in the screenshot, sorry for that.
/Jörgen
The script isn’t creating any password and I didn’t change anything in the script except for the Data Source and Initial Catalog. I’ve made the package as you described and the command line setup to. Could you help me?