A generally accepted security practice is to make passwords expire. With 1,000 computers to manage, is there a...
way to change 'local' administrator passwords easily? The local administrator is needed for computers that are malfunctioning and cannot access the network, so we do not want this account password to expire before it can be changed.
There are several ways of doing this. You can spend hours of your time creating a batch, WSH or VB script that searches for all the variables needed to change the local admin password on your network, or you can save time and effort by using the utility call cryptpwd.exe provided in the NT and 2000 Resource kits. I recommend using the cryptpwd.exe approach unless you want to impress your boss with your scripting abilities.
Here is how you can use cryptpwd.exe to change the entire domain's local admin accounts. First you need to create a simple text file with the list of computers you wish to change (you can get a list of the computers in your domain from server manager or active directory if you are using Windows 2000). Next, you need to create a simple batch file and add the following line:
Substitute "sampletext.txt" with the name of the text file you created and changedpass with the new password you wish to use. Save the batch file, the text file and the cryptpwd.exe file in the same directory and you are ready to change you company's local admin passwords. You can run this from an account that has domain admin rights or you can get creative and put this in a login script. I prefer to run it from my desktop. Cryptpwd also provides you with additional switches you can use to change the local admin username as well.
Securing Microsoft applications