Reset password for renamed Administrator account

Question

I need to create a .VBS script to reset the Windows local administrator password on a large group of computers. My problem is that some of our sites have renamed the administrator account for security reasons. Does anyone have a script which changes the password of the administrator account based on the SID of the original Administrator account?

Answer 1

There's a tool floating around somewhere called LookupAccountName (with source!) that given the SID of the builtin adminitrator will give you its name.

You're probably going to end up writing C++ code to pull this one off reasonably well.

Answer 2

Like Joshua says, I don't think you can do this with windows scripting host only, you could use it download something and execute it:

• A custom app that calls LookupAccountSid(S-1-5-domain-500 SID or enum admin group)+NetUserSetInfo to reset the password (Needs to run this as admin)
• http://home.eunet.no/pnordahl/ntpasswd/ (Reset at boot)
• Dump the SAM hashes and crack the password (Cain,John the Ripper,L0phtCrack etc)

Answer 3

Using the fact that local admin's SID always ends with -500:

strComputer="."    ' local computer by default   
Set objUser=GetObject("WinNT://" & strComputer & "/" & GetAdminName & ",user")     
objUser.SetPassword "New local admin password"     
objUser.SetInfo 

Function GetAdminName   
  'This function was written using information from Table J.1 from the Windows XP resource Kit
  'http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnc_sid_cids.asp

  Set objNetwork = CreateObject("Wscript.Network") 'get the current computer name 
  objComputerName = objNetwork.ComputerName    
  Set objwmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & objComputerName)

  qry = "SELECT * FROM Win32_Account where Domain = '" & cstr(objComputerName) & "'" 
  'set query, making sure to only look at local computer

  For Each Admin in objwmi.ExecQuery(qry)   
    if (left(admin.sid, 6) = "S-1-5-" and right(admin.sid,4) = "-500") then 'look for admin sid
       GetAdminName = admin.name
    end if   
  next    
end Function

Answer 4

@DmitryK's answer is good, and I didn't know any of that stuff. But I do know that this sort of thing is usually cleaner in PowerShell, so I ported it.

For example, the whole GetAdminName function can be written:

$adminName = (gwmi win32_account | ? { $.SID.StartsWith( 'S-1-5-' ) -and $.SID.EndsWith( '-500' ) }).Name

(Add the -ComputerName option to the gwmi call to do this on a server.)

The rest becomes:

$user = ([ADSI]"WinNT://$($env:COMPUTERNAME)/$adminName,User")
$user.SetPassword( 'xxx' )
$user.SetInfo()

(applying the appropriate computer name as needed, of course.)