Reset local Windows account password (1.3.0+)


  • This tutorial utilizes the new FOG Client, which is capable of executing powershell scripts.

    At work, we’ve been talking about how to reset the local ‘tech’ password en-mass should we ever need to, in case the account password is compromised.

    I’ve found some powershell that can do this, and I’ve used it via FOG Snapins to successfully change a local Windows account’s password. This can be done on one computer or thousands. Confirmed working on Windows 10.

    The below is a powershell script (with a .ps1 file extension) that resets the password of a local account called tech to MySuperAmazingPassword as an example.

    $comp=hostname
    $tech=[adsi]("WinNT://" + $comp + "/tech, user")
    $tech.psbase.invoke("SetPassword", "MySuperAmazingPassword")
    

    This can be made into a FOG Snapin using the PowerShell template, and just uploading the file. Here is a screenshot of the completed snapin:

    0_1470950974200_ResetTechPassword.png


  • @MRCUR There should be - what the admin wants and is acceptable. Would I want a uniform password in every environment? No. I work in a public school, and very often I’m walking down the halls and someone comes out asking for help - and I don’t have my laptop with me. The less passwords I type in front of people, the better. Often, technicians fill in at other buildings - we don’t share AD credentials among technicians for our domains, but we do share local passwords with other techs so they can fill in where needed. LAPS would make that harder.

    I would encourage people to use LAPS if they want the highest degree of local account security, but it would complicate my job further than I would like in my current position and slow my ability to solve problems.

  • Testers

    @Wayne-Workman That’s the whole point - there should not be a single password set on all the machines. I realize this is not the point of your thread, but I just wanted to have this here so people know LAPS exists and is the preferred solution.


  • @MRCUR That’s one of the options we thought about. It sets a unique password on every machine - and that’s not the greatest idea if you need to use the local account in a tight spot to do something, and don’t have LAPS readily open. LAPS was created as a way to manage local account passwords, specifically changing them. With the above simple PowerShell script paired with FOG Snapins, that’s an alternative to LAPS that isn’t so complex - and enables a uniform password on each computer.

  • Testers


  • @Wayne-Workman Thank you sir.


  • @alexf2132 When creating the snapin, if you choose the “Powershell” template, it’ll be filled in automatically for you. Also the arguments are listed in the Snapin Command part.


  • What do you have in text box: “Snapin Run With Argument”? Is it required for this specific Snapin? I noticed you didn’t mention that section of the Snapin creation process.


  • @Wayne-Workman really they can? 😄 well i am just a bit crazy today… 😉


  • @x23piracy You didn’t know snapins could do powershell? 😉


380
Online

7.8k
Users

14.8k
Topics

139.5k
Posts