Rename and set password for local admin using configmgr #rdproud

May 19, 2015

 

Hello,

As you all know 🙂 -> Modification of local user password no longer possible using preference. When did this happen ?

You can find additional info here https://support.microsoft.com/en-us/kb/2962486

Solution could be to reuse a sccm task sequence in order to rename the local admin and set the password.

We will use a task sequence variable as the password that should be applied.

We’ll create a powershell script.

# Change_passwords.ps1

#

#

# Author = Gino D’hoker

#

# Will be used in SCCM task sequence for renaming and setting password of local admin

# requires task sequence variable named vPassword with the required password

#

#

# Version 1.0

$computerName = $env:COMPUTERNAME

$computer = [ADSI] “WinNT://$computerName,Computer”

foreach ( $childObject in $computer.Children ) {

# Skip objects that are not users.

if ( $childObject.Class -ne “User” ) {

continue

}

$type = “System.Security.Principal.SecurityIdentifier”

#CALLOUT A

$childObjectSID = new-object $type($childObject.objectSid[0],0)

#END CALLOUT A

if ( $childObjectSID.Value.EndsWith(“-500”) ) {

“Local Administrator account name: $($childObject.Name[0])”

“Local Administrator account SID: $($childObjectSID.Value)”

$username = $($childObject.Name[0])

break

}

}

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

$strPassword = $tsenv.Value(“vPassword”)

$user = [ADSI]”WinNT://./$username”

$user.psbase.rename(“xxx.localadmin”)

$user.SetPassword($strPassword)

clip_image002

Now create a task sequence in order to deploy the task.

First create the required variable

clip_image004

Second run a posh script

clip_image006

Now deploy in on a scheduled base

clip_image008

And you have a worthy replacement of your preference !

clip_image010

Enjoy.

Gino D


Quick Tip ! Group Policy Preference Issues

September 4, 2013

Hello,

Used a scheduled task ( immediate ) as a group policy preference item and now I recieve this when verifying the result using the console.


Added logging to the group policy console as described here :

http://technet.microsoft.com/en-us/library/cc737379(v=ws.10).aspx

Result of the log file :


Solution :

See http://support.microsoft.com/kb/2642947

Install the applicable hotfixes, REBOOT and retest.

Enjoy.


Add local user to Admin Group

November 22, 2011

Okay I know it’s a bit off-topic but I was so pleased with this solution that I have to share it.

The goal is to add a user to the local admin group using policies. Only one user to one machine, no group of user to a specific group of machines.

We prefered to not use scripting solutions so we came up with this :

-> For the moment we use the AD Computer ManagedBy attribute in order to define a link between a computer and a specific user. ( This is a prerequisite ) We decided that the ManagedBy user could be added to the local administrators group only if the user is part a specific DL admin group.


-> Create a policy with 2 preferences. First one will clear the Local admin group.



-> Second preference will add the %SuperUser% to the local admin group


-> Define the item level targeting
Capture

Part 1 assigns the Value of the AD Managedby Attribute


Part2 verifies if the ManagedBy user is part of the Local Admin Group ( here GG_U_LocalAdmin)

Filter = (&(objectCategory=user)(distinguishedName=%managedby%)(memberof=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))

Attribute = The attribute will only be presented as output if the user is part of the group

Capture
Update ! this filter does not return the group membership if nested group membership is being used. You can alter the query in order to include the nested group membership like this :

(&(objectCategory=user)(distinguishedName=%managedby%)(memberof:1.2.840.113556.1.4.1941:=CN=GG_U_LocalAdmin,OU=Groups,OU=SystemCenter,OU=RDS,DC=rdsolutions,DC=local))

See http://social.technet.microsoft.com/Forums/en-US/8ebae09d-299c-4486-b188-ce1715f7bc36/question-about-using-an-ldap-filter-to-get-memberof-from-an-ad-group?forum=winserverDS for more information.

-> And test.


-> Remove user from group and run gpupdate.



-> And verify