Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Generating a random password during OSD and save it in SQL

Posted on June 28, 2012 by Jörgen Nilsson

In many scenarios it could to be a great idea to be able to set a randomized password for the local administrator account or create a new user account with local administrative permissions and disable the built-in account. The script can easily be modified to generate a password for another user-name than the local administrator.

This way if you have to give the user or a technician the local admin password to be able to re-join the domain or troubleshoot network connectivity, you are only giving the password to that computer.
To accomplish this I created a vbscript which will generate a randomized password and write it to a table in the MDT database. This script can easily be modified to create a new user account as well and not only to set the password for the local administrator account. It can also be run in a custom task sequence to generate a new password for the local administrator account.

As I don’t want any passwords stored in the script I use a Task Sequence step before the script “Net user /add” to add the service account under which I run the script to the local administrator group and after the script has run I remove it again. So the steps in the TS would look like this.

Locaadmin1

The script can be downloaded here(rename it to localadminpwsql.vbs): Localadminpwsql

Prerequisites:

  • Service Account in AD for this purpose

Implementation:

  1. Create a new table in the MDT database called Ladmin with two columns:
    Computername = nchar(30)  not null
    Localadminpw = nchar(30 not null
    Select the Computername as the primary key. Like this:
    localadmin4
  2. Grant the service account the datareader and datawriter role to the MDT database.
    localadmin3
  3. Download the script and modify the following lines to adapt it to your setup.
    objConnection.Open “Provider=SQLOLEDB;Data Source=sccm01;” & “Trusted_Connection=Yes;Initial Catalog=MDT;”
  4. Create a package containing the setlocaladmin script, and add it to distribution points, don’t create a program.
  5. In your Deployment Task Sequence create three new run command line steps.
    Locaadmin1
  6. Add a Command Line step to add the user to the local administrator group, command line:
    net localgroup administrators contoso\srvlocal /add
  7. Add a Command line step “setlocal admin password” using the following settings, it is here we configure that the command line should run as the service account with local admin permissions.
    localadmin2
  8. Add a step to remove the service account from the local admin group, with the following command line:
    net localgroup administrators contoso\srvlocal /delete
  9. Test run and you are good to go.

I will post a simple .hta which the servicedesk can use to retrieve the local admin password if needed for troubleshooting purposes.

10 thoughts on “Generating a random password during OSD and save it in SQL”

  1. Rikard Ronnkvist says:
    June 29, 2012 at 10:20 am

    Since it looks like you are using MDT, why not store it in the MDT-database, table is called Settings and column AdminPassword…

    If you store it early in the TS the MDT will take care of setting the password for you… 🙂

    Reply
  2. Pingback: Generating a random password during OSD and save it in SQL – Part2 - CCMEXEC.COM – System Center blog
  3. Tom Whiteley says:
    August 29, 2012 at 4:18 pm

    That’s a pretty cool way of solving the problem of local admin passwords.

    There was an Atea consultant who gave me a slightly more complex solution to this which involved using SP’s to check for database connectivity etc. for my SCCM environment but now I am debugging it so I can run it as a task every x days (to follow our standard AD password policy).

    Reply
  4. Anurag says:
    January 2, 2013 at 10:09 pm

    Hi Jörgen , thanks for the great article. I have setup MDT 2012 + SCCM 2012. I am trying to call a script to generate random password of local administrator account and store it in a database. I have created a package for the script and updated the distribution points. I am calling the script at the end of task sequence just before copy logs and restart functions.
    Incorrect function. (Error: 00000001; Source: Windows)]LOG]!>
    Looking for suggestion on what am I doing wrong. The smsts.log is uploaded here – https://www.dropbox.com/s/vpl2yuy41ujv8ju/smsts.log

    Reply
  5. Anurag says:
    January 2, 2013 at 10:12 pm

    I also checked the dp and the vbs file does exist there.

    Reply
  6. Anurag says:
    January 2, 2013 at 10:41 pm

    I had by mistake typed a wrong spelling in run command task. The issue is gone now.Thanks anyways..

    Reply
  7. Suresh says:
    August 12, 2013 at 11:01 am

    Hi Jörgen Nilsson,

    This script working with SCCM2007R3 servers, kindly update the step by step preachers.

    Reply
  8. Stefan says:
    December 16, 2014 at 9:15 am

    What is this “sqllocal.vbs? Shouldn’t there be the script localadminpwsql.vbs?

    Reply
    1. Jörgen Nilsson says:
      December 16, 2014 at 9:34 am

      Hi,
      That is correct, I used a different name in the screenshot, sorry for that.
      /Jörgen

      Reply
  9. Stefan says:
    December 16, 2014 at 10:14 am

    The script isn’t creating any password and I didn’t change anything in the script except for the Data Source and Initial Catalog. I’ve made the package as you described and the command line setup to. Could you help me?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Tweets by ccmexec

Recent Posts

  • Windows Servicing, Personal Teams and Success.cmd
  • Windows MDM Security Baseline – Settings Catalog
  • Configuring MS Edge Security Baseline v107 using Settings Catalog
  • Configuring Desktop App Installer using CSP and script?!
  • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell

©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT