Bulk Local Administrator Password Management Tool

Posted By Timothy • Topic: Tech

Dec 8, 2005 3:36 PM EDT

I manage a domain of about 70 Windows machines. About 30 are 2003 servers. The rest are XP workstations. Initially I disabled all the local built-in admins for security purposes using Group Policy, but then I ran into a trouble PC that couldn't communicate with the domain. Uh oh. What do I do now? Turns out the network card was bad, so when it was replaced, everything was fine. But since I had never logged onto that machine with a domain admin account before, there was no way for it to authenticate that I was a domain admin (no cached credentials for the domain admin account). The local admin was still disabled and there was basically no way to administer that machine. What if this happened and it wasn't the NIC? Heck if I'm going to reinstall Windows for an oversight like that!

So I re-enabled all the local admins using GPO again. I had every admin I ran into changed to the same password for a little while. But this is insecure too because what if that password is compromised? I'd have to walk around to every computer, or at least connect to every computer via Computer Management MMC, to reset the passwords. Ugh! Not fun.

So I looked around for a tool to automate this. The only solutions I could find involved writing startup scripts and implementing it through a GPO. This is bad for several reasons. (1) The new password is stored in plain text and transmitted in plain text over the network (or, at best, obfiscated somewhat, but not truly encrypted). (2) Startup scripts cannot be guaranteed to run. If the machine connects with a wireless card, the pre-logon state where startup scripts run may not have an active connection in time for it to run. This means that the script never executes, but the event log kindly tells you it didn't execute. Also, some people never reboot their machines. That's fine normally, but if you rely on a startup script and a mandatory reboot from Windows Update, this isn't a good solution.

So I created XS BAP. XS because that's the name of the company I work for and they signed my paycheck while I designed this happy tool. BAP is for Bulk Admin Password tool. This tool is currently freeware and is provided with no warranty. This tool is not open source, so don't ask for the source code. The licensing agreement on subsequent versions of this tool may change without notice.

XS BAP allows you to import or manually enter each computer you want to manage on your domain. You can then specify the administrative password you want to use, or use the random password feature and get a unique random complex password for every machine. You can then update all machines at once, or only selected machines. After updating the password, you can verify that the password works using the verification feature.

XS BAP requires the .Net Framework 1.1. XS BAP works by resetting the Administrator password to whatever you specify, so you do not need to know the old password of the adminsitrator ("reset password" method, as opposed to "change password" method). However, you do need to have local administrative access on every target machine. In a default Windows domain, Domain Admins have the appropriate level of access, so run this tool as a domain admin. I do not know how well this application scales, but I have used it on every machine in my domain at once. If you use it on a very large domain (hundreds or thousands of computers), let me know how it works! It will probably be slow, but hey... Slow and unattended is better than nothing!

You can save the data in an AES encrypted file (encrypted by supplying a password). This way when you need the password of that workstation you've never looked at before, just open the file and there it is! For additional security, I highly recommend also implementing EFS (NTFS's Encryption) on the saved password files. After all, compromise of the saved file will give an attacker the local passwords of every machine! Since the password file is symmetrically encrypted with a password, a brute force attack could theoretically, eventually, lead to a decrypted file. The encryption will certainly buy you time to change the passwords, should you ever discover that the password file was obtained by unauthorized personnel. But it is not hack-proof!

The interface "feels" like Microsoft Access since it uses the DataGrid control interface. The help file sucks, but well.. I'm a developer, not a tech writer. Maybe I'll add to it later! Hopefully it will be somewhat self-explanatory. If you have a question, post it to the blog here.

Known limitations: (1) If you import multiple domain controllers and modify the same account on each of them with a different password, the LAST password that was successfully "updated" is the current password. There is no feature to let you know if you are updating a local workstation/server SAM database or Active Directory through a domain controller. As a general rule, don't update domain controllers to save yourself hassle. (2) The verification process attempts to change the password to the same value to make sure the password works. This seems like a weird way to do it, but all the other logon methods I could find did not allow you authenticate to a remote machine's SAM in .Net. If somebody knows of a better way, let me know. Anyway, since local administrators are exempt from certain password policies (such as minimum age), this method should always work. However, I make no guarantees that the verification process will not say "Failed" but then work when you try it manually on the target machine. On the flip-side, though, if it says "Correct" it definitely works.

If you have any questions, comments, or suggestions, reply to this post!

Here is the link to the file:

http://www.avianwaves.com/Tech/Tools/XS_BAP

At the time of this posting, there is only one version (1.0), and I will post to here when newer versions are released. I will probably keep a little bit of a history on the download server, but may not keep all the versions online. Haven't decided yet.

Let me know if you find this tool useful!

Digg! / del.icio.us / Furl

[ Comments (15) • Trackbacks (0) ] PermaLink

Comments :

Hi,
Just want to add, that event though the local administrator account is disabled, it should still be possible to log on by using this account in Safe Mode (offline). When you are first within Safe Mode the rest is just rutine :)

Actually, if you boot the system into Safe Mode with Network, it should even be possible to logon by using an account from Domain Admins etc. - event though he/she never logged on to the system before.

But anyway, I like your tool!

Comment By Jakob H. Heidelberg At 10/31/2006 6:42 PM EDT

Very good points, Jakob. However, if the network does not initialize in Safe Mode with networking, your Domain Admin account will still not work, obviously. :-) However, you make a great point about disabled Administrator accounts and Safe Mode.

Comment By Timothy At 10/31/2006 8:16 PM EDT

Nice tool. There are issues with the menus on my system with Windows Standard/Large Fonts at 1152 x 864. Both the Help screen and Computer Browse is cut off on the right side and cannot be resized to see the dialog box.

Also, it would be nice to add OU support. Larger enterprises need it.

Comment By Alan At 11/1/2006 8:09 AM EDT

Hi,

just wanted to say that this is an amazing tool.

I have 1 question however - is there any way of either importing computers from a .txt file or an .xls file or even copying and pasting?

I have used the tool look@lan to ping all the systems on our network (not all are on our domain). Any way of importing this data directly?

Thanking you in advance

Comment By Harmanik At 1/9/2007 11:14 AM EDT

Harmanik - Good idea! I am almost finished with XS BAP 2.0 (will be in beta soon) and I will add a feature to import computer names from a text file before release.

Comment By Timothy At 1/9/2007 3:08 PM EDT

Great

Can't wait to see it & test it out

Comment By Harmanik At 1/15/2007 5:47 AM EDT

Can you add a feature to export data to Comma Separated Data (CSV) format? I need to be able to take new passwords and load it inside of a secured database for later retrieval. Otherwise this will become a very cumbersome process.

Comment By Jason At 1/17/2007 11:44 AM EDT

Oops. I found out that I can export the data by selecting all rows and then using the standard ctrl-c to copy the data into the clipboard which I can then just paste the data into a file and go from there.

Comment By Jason At 1/17/2007 12:15 PM EDT

We manage approximately 2600 devices. Is this tool capable of dealing with that many devices?

Suggestions: 1) Include the ability to import devices from an OU or group of OUs without having to go through an export/import process. 2) Allow the user to choose the lenght of the generated password. More and more is being made of having passwords longer than 15 characters.

Great tool. I look forward to seeing what you have in the next rev.

Comment By Steve At 1/19/2007 12:21 PM EDT

Fantastic tool! Just did 140 machines in 15 minutes for a client using 2.0. Worked very well.
I have a question on an error that I get during the paswword change while it is scanning and changing. It is a DatraGridView Default Dialog.
System.Data.VersionNotFoundException:

Any ideas. I think MS has a fix for this: Article ID : 839889
Last Review : May 21, 2007
Revision : 3.3

Comment By Chris At 6/5/2007 11:43 AM EDT

hey, what about creating a vb script that automatically change the local admin password according to the local machine name, using a complex formula, that every machine will have its own password, not only this, but also i found a way to change the vbs file to an exe file, that will be very difficult for any intruder to detect the formula, or the generated password.

i'm asking according to the security point of view, is that secure or not?

on the other side, can any one tell me,will it consume a huge time to process the script during the machine startup?

the script gets the computer name, and generates a password using a formula based on the capyured computer name,

i need to see your opinion on both sides, as security wise,and processing time.

thanks in advance

Comment By yasser At 12/6/2007 12:25 PM EDT

If it is in a vbscript, the formula can be obtained by the end user and reverse engineered -- no matter how complex. Truly random passwords are the only secure way to do this, which is what prompted me to create XS BAP.

As for processing time, the API that accesses the SAM is not the quickest in the world, but you are only talking about maybe a 5 to 10 second (max) increase in boot-time from a script like that, I suspect. I haven't tried -- I'm going on my experiences with XS BAP.

Comment By Timothy At 12/6/2007 1:50 PM EDT

Hi. I can not change admin password on PC. May be i make a mistake? Can you step-by-step explane how to use it?
Thanks.

Comment By Arman At 3/20/2009 9:10 AM EDT

Hai
I am trying to reset password of workstation which is in domain
Do loged to the domain user which is having Admin rights and change password or i can logged in to local admin and change password of other machine
Please reply to email also

Thanks
pavan

Comment By Pavan At 4/26/2010 11:46 AM EDT

Last time I forgot my password and tried everything i could do but failed, until I found this great tool Password Genius. It works great, and you can google it.

Comment By rcmichelle At 9/9/2010 3:26 AM EDT

Add Comment :

Name :

Email :

URL (Optional) :
Remember Info?

Allowed BBCode Tags : LINK (URL), BOLD, ITALIC, UNDERLINE, QUOTE

By posting a comment to this blog, I agree to the blog rules.