I have a script that I pieced together which accomplishes the following: Creates Local Admin, Sets a Password, encodes the password, then writes the encoded value to the registry.
This script works perfectly in Windows XP.
For Windows 7, it creates the Admin User, but does not write the password to the registry, nor does it check the never expire and user can't change password boxes. (These are less important but it must write the encoded password value to the registry).
Once that value is in the registry, then SCCM inventories the value and the helpdesk can un-encode the password and give the login information to a user, who needs emergency admin rights.
My scripting skills are fairly limited, but learning.. I have pasted the script below:
Any advice anyone can give would be much appreciated. If anyone likes this and would like the un-encode script, just email me!!
Thanks!
Option Explicit
On Error Resume Next
Dim WshShell,FSO,Env,ComputerName,PlainPassword,EncodedPassword,LMAdminExists,IsMember,Groups,Group
Dim User,Accounts,DomainOrWorkgroup,UserFlags,UserFlag
Set WshShell = WScript.CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
Set Env = WshShell.Environment("Process")
ComputerName = Env("ComputerName") ' obtain tthe workstation name from the local environment values cache
Set Groups = GetObject("WinNT://" & ComputerName & "") ' Read user groups from local machine
Groups.Filter = Array("group") ' filter out anything but groups from the results
For Each Group In Groups ' check each group in turn (should only be a few)
If Group.Name = "Administrators" Then ' found the administrators group
For Each User in Group.Members ' check each user of the administrators group in turn
If User.Name = "LMAdmin" Then ' An account exists named LMAdmin
LMAdminExists = True ' set a value to refer to the fact that the LMAdmin account exists
End If
Next
End If
Next
If LMAdminExists Then ' LMAdmin account has been verified to exist
CreatePassword ' create both a new plaintext and encoded password
ResetPassword ' set the LDAdmin account to use the newly created password
Else ' LMAdmin does not exist
CreatePassword ' create both a new plaintext and encoded password
CreateLMAdmin ' create the local LMAdmin account
WScript.Quit ' nothing else to do so quit
End If
Sub CreateLMAdmin
Set Accounts = GetObject("WinNT://" & ComputerName & "") ' Bind to local machine's accounts
Set User = Accounts.Create("user", "LMAdmin") ' specify a new user named 'LMAdmin' should be created
User.SetPassword PlainPassword ' Specify the value of the newly generated password
User.SetInfo ' create the new account using the details specified
Set Group = GetObject("WinNT://" & ComputerName & "/Administrators,group") ' bind to the local machine's administrators group
Set User = GetObject("WinNT://" & ComputerName & "/LMAdmin,user") ' bind to the LDAdmin user account
Group.Add(User.ADsPath) ' add the user to the group
WshShell.LogEvent 0, "Local Machine Administrator account (LMAdmin) has been created successfully" ' log event to event log
' add the encoded password to the SCCM custom inventory fields ready for inventory capture
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
I have a script that I pieced together which accomplishes the following: Creates Local Admin, Sets a Password, encodes the password, then writes the encoded value to the registry.
This script works perfectly in Windows XP.
For Windows 7, it creates the Admin User, but does not write the password to the registry, nor does it check the never expire and user can't change password boxes. (These are less important but it must write the encoded password value to the registry).
Once that value is in the registry, then SCCM inventories the value and the helpdesk can un-encode the password and give the login information to a user, who needs emergency admin rights.
My scripting skills are fairly limited, but learning.. I have pasted the script below:
Any advice anyone can give would be much appreciated. If anyone likes this and would like the un-encode script, just email me!!
Thanks!
Option Explicit
On Error Resume Next
Dim WshShell,FSO,Env,ComputerName,PlainPassword,EncodedPassword,LMAdminExists,IsMember,Groups,Group
Dim User,Accounts,DomainOrWorkgroup,UserFlags,UserFlag
Set WshShell = WScript.CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
Set Env = WshShell.Environment("Process")
ComputerName = Env("ComputerName") ' obtain tthe workstation name from the local environment values cache
Set Groups = GetObject("WinNT://" & ComputerName & "") ' Read user groups from local machine
Groups.Filter = Array("group") ' filter out anything but groups from the results
For Each Group In Groups ' check each group in turn (should only be a few)
If Group.Name = "Administrators" Then ' found the administrators group
For Each User in Group.Members ' check each user of the administrators group in turn
If User.Name = "LMAdmin" Then ' An account exists named LMAdmin
LMAdminExists = True ' set a value to refer to the fact that the LMAdmin account exists
End If
Next
End If
Next
If LMAdminExists Then ' LMAdmin account has been verified to exist
CreatePassword ' create both a new plaintext and encoded password
ResetPassword ' set the LDAdmin account to use the newly created password
Else ' LMAdmin does not exist
CreatePassword ' create both a new plaintext and encoded password
CreateLMAdmin ' create the local LMAdmin account
WScript.Quit ' nothing else to do so quit
End If
Sub CreateLMAdmin
Set Accounts = GetObject("WinNT://" & ComputerName & "") ' Bind to local machine's accounts
Set User = Accounts.Create("user", "LMAdmin") ' specify a new user named 'LMAdmin' should be created
User.SetPassword PlainPassword ' Specify the value of the newly generated password
User.SetInfo ' create the new account using the details specified
Set Group = GetObject("WinNT://" & ComputerName & "/Administrators,group") ' bind to the local machine's administrators group
Set User = GetObject("WinNT://" & ComputerName & "/LMAdmin,user") ' bind to the LDAdmin user account
Group.Add(User.ADsPath) ' add the user to the group
WshShell.LogEvent 0, "Local Machine Administrator account (LMAdmin) has been created successfully" ' log event to event log
' add the encoded password to the SCCM custom inventory fields ready for inventory capture
WshShell.RegWrite "HKLM\SOFTWARE\MyKey\PWCapture",EncodedPassword,"REG_SZ"
' set the newly created account's password to both never expire and to not be changable
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_UF_PASSWD_CANT_CHANGE = &H0040
End Sub
Sub CreatePassword ' create a new password (both plain text and encoded)
Dim LowNumber1,HighNumber1,LowNumber2,HighNumber2,LowNumber3,HighNumber3
Dim Char1,Char2,Char3,Char4,Char5,Char6,Char7,Char8,Char9
Dim LowAlgorithm,HighAlgorithm,Algorithm,AlgorithmArray,ChosenAlgorithm,AlgorithmSplit
Dim EncodedChar1,EncodedChar2,EncodedChar3,EncodedChar4,EncodedChar5,EncodedChar6,EncodedChar7,EncodedChar8,EncodedChar9
' Create 9 sets of upper and lower character-code value ranges from which to generate each of the 9 password characters
LowNumber1 = 97 ' a
HighNumber1 = 122 ' x
LowNumber2 = 65 ' A
HighNumber2 = 90 ' Z
LowNumber3 = 48 ' 0
HighNumber3 = 57 ' 9
Randomize ' From the character-code value ranges specified previously, randomly choose a character code
Char1 = Int((HighNumber1 - LowNumber1 + 1) * Rnd + LowNumber1)
Char2 = Int((HighNumber2 - LowNumber2 + 1) * Rnd + LowNumber2)
Char3 = Int((HighNumber3 - LowNumber3 + 1) * Rnd + LowNumber3)
Char4 = Int((HighNumber1 - LowNumber1 + 1) * Rnd + LowNumber1)
Char5 = Int((HighNumber2 - LowNumber2 + 1) * Rnd + LowNumber2)
Char6 = Int((HighNumber3 - LowNumber3 + 1) * Rnd + LowNumber3)
Char7 = Int((HighNumber1 - LowNumber1 + 1) * Rnd + LowNumber1)
Char8 = Int((HighNumber2 - LowNumber2 + 1) * Rnd + LowNumber2)
Char9 = Int((HighNumber3 - LowNumber3 + 1) * Rnd + LowNumber3)
' Create a string of all the returned values
PlainPassword = Chr(Char1) & Chr(Char2) & Chr(Char3) & Chr(Char4) & Chr(Char5) & Chr(Char6) & Chr(Char7) & Chr(Char8) & Chr(Char9)
' Create algorithms and assign one to current password creation process from 5 different sets
LowAlgorithm = 1
HighAlgorithm = 5
Randomize ' From the range of 5 values choose one to use (1 through 5)
Algorithm = Int((HighAlgorithm - LowAlgorithm + 1) * Rnd + LowAlgorithm)
' specify the values of the algorithms in an array
AlgorithmArray = Array( "065-586-094-288-691-071-002-097-768-157",_
"066-443-638-242-548-216-643-051-146-465",_
"067-112-563-864-234-856-474-076-609-127",_
"068-447-739-226-863-098-641-204-013-044",_
"069-151-556-284-505-367-433-841-114-498")
ChosenAlgorithm = AlgorithmArray(Algorithm -1) ' name the chosen array value (must be minus one as VB arrays start at zero)
AlgorithmSplit = Split(ChosenAlgorithm,"-") ' segment the algorithm at each hyphen it contains
EncodedChar1 = AlgorithmSplit(1) + Char1 ' calculate the encoded values for each segment
EncodedChar2 = AlgorithmSplit(2) + Char2
EncodedChar3 = AlgorithmSplit(3) + Char3
EncodedChar4 = AlgorithmSplit(4) + Char4
EncodedChar5 = AlgorithmSplit(5) + Char5
EncodedChar6 = AlgorithmSplit(6) + Char6
EncodedChar7 = AlgorithmSplit(7) + Char7
EncodedChar8 = AlgorithmSplit(8) + Char8
EncodedChar9 = AlgorithmSplit(9) + Char9
If EncodedChar1 < 10 Then
EncodedChar1 = "00" & EncodedChar1
Else
If EncodedChar1 < 100 Then
EncodedChar1 = "0" & EncodedChar1
End If
End If
If EncodedChar2 < 10 Then
EncodedChar2 = "00" & EncodedChar2
Else
If EncodedChar2 < 100 Then
EncodedChar2 = "0" & EncodedChar2
End If
End If
If EncodedChar3 < 10 Then
EncodedChar3 = "00" & EncodedChar3
Else
If EncodedChar3 < 100 Then
EncodedChar3 = "0" & EncodedChar3
End If
End If
If EncodedChar4 < 10 Then
EncodedChar4 = "00" & EncodedChar1
Else
If EncodedChar4 < 100 Then
EncodedChar4 = "0" & EncodedChar1
End If
End If
If EncodedChar5 < 10 Then
EncodedChar5 = "00" & EncodedChar5
Else
If EncodedChar5 < 100 Then
EncodedChar5 = "0" & EncodedChar5
End If
End If
If EncodedChar6 < 10 Then
EncodedChar6 = "00" & EncodedChar6
Else
If EncodedChar6 < 100 Then
EncodedChar6 = "0" & EncodedChar6
End If
End If
If EncodedChar7 < 10 Then
EncodedChar7 = "00" & EncodedChar7
Else
If EncodedChar7 < 100 Then
EncodedChar7 = "0" & EncodedChar7
End If
End If
If EncodedChar8 < 10 Then
EncodedChar8 = "00" & EncodedChar8
Else
If EncodedChar8 < 100 Then
EncodedChar8 = "0" & EncodedChar8
End If
End If
If EncodedChar9 < 10 Then
EncodedChar9 = "00" & EncodedChar9
Else
If EncodedChar9 < 100 Then
EncodedChar9 = "0" & EncodedChar9
End If
End If
' create a value that rejoins the encoded values again seperated by a hyphen
EncodedPassword = AlgorithmSplit(0) & EncodedChar1 & "-" & _
EncodedChar2 & EncodedChar3 & "-" & _
EncodedChar4 & EncodedChar5 & "-" & _
EncodedChar6 & EncodedChar7 & "-" & _
EncodedChar8 & EncodedChar9
'WScript.Echo PlainPassword & " (" & EncodedPassword & ")"
End Sub
Sub ResetPassword ' Reset LMAdmin account password to new value created by CreatePassword
Set User = GetObject("WinNT://" & ComputerName & "/LMAdmin, user") ' bind to the LMAdmin account of the local machine
User.SetPassword PlainPassword ' specify the value to the newly generated password
User.SetInfo ' set the password to the previously specified value
' add the encoded password to the SCCM custom inventory fields ready for inventory capture
WshShell.RegWrite "HKLM\SOFTWARE\MyKey\PWCapture",EncodedPassword,"REG_SZ"
WshShell.LogEvent 0, "Local Machine Administrator Account (LMAdmin) password has successfully been changed" ' log event to event log
End Sub
Share this post
Link to post
Share on other sites