In many scenarios it could to be a great idea to be able to set a randomized password for the local administrator account or create a new user account with local administrative permissions and disable the built-in account. The script can easily be modified to generate a password for another user-name than the local administrator.
This way if you have to give the user or a technician the local admin password to be able to re-join the domain or troubleshoot network connectivity, you are only giving the password to that computer.
To accomplish this I created a vbscript which will generate a randomized password and write it to a table in the MDT database. This script can easily be modified to create a new user account as well and not only to set the password for the local administrator account. It can also be run in a custom task sequence to generate a new password for the local administrator account.
As I don’t want any passwords stored in the script I use a Task Sequence step before the script “Net user /add” to add the service account under which I run the script to the local administrator group and after the script has run I remove it again. So the steps in the TS would look like this.
The script can be downloaded here(rename it to localadminpwsql.vbs): Localadminpwsql
- Service Account in AD for this purpose
- Create a new table in the MDT database called Ladmin with two columns:
Computername = nchar(30) not null
Localadminpw = nchar(30 not null
Select the Computername as the primary key. Like this:
- Grant the service account the datareader and datawriter role to the MDT database.
- Download the script and modify the following lines to adapt it to your setup.
objConnection.Open “Provider=SQLOLEDB;Data Source=sccm01;” & “Trusted_Connection=Yes;Initial Catalog=MDT;”
- Create a package containing the setlocaladmin script, and add it to distribution points, don’t create a program.
- In your Deployment Task Sequence create three new run command line steps.
- Add a Command Line step to add the user to the local administrator group, command line:
net localgroup administrators contoso\srvlocal /add
- Add a Command line step “setlocal admin password” using the following settings, it is here we configure that the command line should run as the service account with local admin permissions.
- Add a step to remove the service account from the local admin group, with the following command line:
net localgroup administrators contoso\srvlocal /delete
- Test run and you are good to go.
I will post a simple .hta which the servicedesk can use to retrieve the local admin password if needed for troubleshooting purposes.