Rename and set password for local admin using configmgr #rdproud

May 19, 2015



As you all know 🙂 -> Modification of local user password no longer possible using preference. When did this happen ?

You can find additional info here

Solution could be to reuse a sccm task sequence in order to rename the local admin and set the password.

We will use a task sequence variable as the password that should be applied.

We’ll create a powershell script.

# Change_passwords.ps1



# Author = Gino D’hoker


# Will be used in SCCM task sequence for renaming and setting password of local admin

# requires task sequence variable named vPassword with the required password



# Version 1.0

$computerName = $env:COMPUTERNAME

$computer = [ADSI] “WinNT://$computerName,Computer”

foreach ( $childObject in $computer.Children ) {

# Skip objects that are not users.

if ( $childObject.Class -ne “User” ) {



$type = “System.Security.Principal.SecurityIdentifier”


$childObjectSID = new-object $type($childObject.objectSid[0],0)


if ( $childObjectSID.Value.EndsWith(“-500”) ) {

“Local Administrator account name: $($childObject.Name[0])”

“Local Administrator account SID: $($childObjectSID.Value)”

$username = $($childObject.Name[0])




$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

$strPassword = $tsenv.Value(“vPassword”)

$user = [ADSI]”WinNT://./$username”




Now create a task sequence in order to deploy the task.

First create the required variable


Second run a posh script


Now deploy in on a scheduled base


And you have a worthy replacement of your preference !



Gino D

Quick Tip ! Group Policy Preference Issues

September 4, 2013


Used a scheduled task ( immediate ) as a group policy preference item and now I recieve this when verifying the result using the console.

Added logging to the group policy console as described here :

Result of the log file :

Solution :


Install the applicable hotfixes, REBOOT and retest.


Add local user to Admin Group

November 22, 2011

Okay I know it’s a bit off-topic but I was so pleased with this solution that I have to share it.

The goal is to add a user to the local admin group using policies. Only one user to one machine, no group of user to a specific group of machines.

We prefered to not use scripting solutions so we came up with this :

-> For the moment we use the AD Computer ManagedBy attribute in order to define a link between a computer and a specific user. ( This is a prerequisite ) We decided that the ManagedBy user could be added to the local administrators group only if the user is part a specific DL admin group.

-> Create a policy with 2 preferences. First one will clear the Local admin group.

-> Second preference will add the %SuperUser% to the local admin group

-> Define the item level targeting

Part 1 assigns the Value of the AD Managedby Attribute

Part2 verifies if the ManagedBy user is part of the Local Admin Group ( here GG_U_LocalAdmin)

Filter = (&(objectCategory=user)(distinguishedName=%managedby%)(memberof=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))

Attribute = The attribute will only be presented as output if the user is part of the group

Update ! this filter does not return the group membership if nested group membership is being used. You can alter the query in order to include the nested group membership like this :


See for more information.

-> And test.

-> Remove user from group and run gpupdate.

-> And verify