Randomizing the Local Administrator Account Password

by jeffmcjunkin

UPDATE: Upon further discussion with information security professionals, I’ve expanded on the subject of local Administrator accounts here.

As systems administrators, we sometimes need access to a given machine without domain credentials. But, in all honesty, how often do we really need access in this fashion? In a proper environment Most of the rationale behind “standardizing” on a local Administrator password I’ve seen has been to support other bad practices, like giving out the password to end-users to solve a one-time or letting service accounts run as a named user.

Below I’ve included a sample VBScript to randomize the local Administrator password. If you don’t use the local account in any day-to-day work, you may as well not leave this gaping security hole out there. Try placing this script in a Group Policy machine startup script. Just copy-paste the full code into a new Notepad instance, click save, then put “password.vbs” INCLUDING quotes into the path. This is necessary to retain the non-default extension (as otherwise Notepad puts the standard .txt extension on the file). Remember the path, then add it to an existing Group Policy Object or create a new one. Once you’ve opened the GPO, the full path is Computer Configuration -> Policies -> Windows Settings -> Scripts -> Startup. Click Add, Browse, point to the script, and press OK on the two screens. Close the GPO, apply it to a test OU, and you’re well on your way! If you have any issues you can always back out of the changes.

' A simple script used to randomize the local Administrator account password
' and disable/enable the account
' Written by Jeff McJunkin (@jeffmcjunkin, jeffmcjunkin.com)
' May be reused without permission, as long as the original source is attributed

Set WshNetwork = WScript.CreateObject("WScript.Network")
strComputer = WshNetwork.ComputerName

strComputer = "."
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user")

intHighNumber = 255
intLowNumber = 1


For i= 1 to 120
	intNumber = Int((intHighNumber - intLowNumber + 1) * Rnd + intLowNumber)
	password = password & Chr(intNumber)

objUser.SetPassword password

' If you use something like Kon-Boot instead of NT Password Reset,
' it can be useful to leave the account enabled. In that case,
' set the following line to False

objUser.AccountDisabled = True