We create a admin account for all our assets and would like to change all assets admin passwords in bulk. Does anyone know if a script is available to check for the existence of the admin account and if it is on the asset to change it to $password?
You could definitely do it - I’ve got code that will check if a local account username/password combo is valid, and from there you could build it out.
- Check Local Account Exists
- Create it if it doesn’t
- Check it is in the expected group
- Fix it if it isn’t
- Check the user account is
- Password is correct
- Fix them if they aren’t right
- May want to configure “Special account” to hide the user from the Lock Screen menus
etc, and fix if they aren’t right.
FYI though - any password passed from Syncro will be hidden in the Portal - but can be visible in the PowerShell output if you are not careful how to
The security issue that Kevin has mentioned still stands but…
If you create a custom field for each customer “LocalAdminPassword” and give it a value you can then script the creation of a local admin using that custom value.
Make sure to add a platform variable that uses the custom field.
$password = ConvertTo-SecureString $LocalAdminPassword -AsPlainText -Force
New-LocalUser -Name "AdminAccountName" -Password $password -Description "Local Admin Account" -ErrorAction Stop
Write-Host "Local User AdminAccountName Has Been Added"
Log-Activity -Message "Local User AdminAccountName Has Been Added" -EventName "Local User AdminAccountName Has Been Added"
Add-LocalGroupMember -Group "Administrators" -Member "AdminAccountName"
Write-Host "Local User AdminAccountName Has Been Upgraded To Admin"
Log-Activity -Message "Local User AdminAccountName Has Been Upgraded To Admin" -EventName "Local User AdminAccountName Has Been Upgraded To Admin"
There’s one in the community library to randomize it. I run it weekly. I wouldn’t use the same password across all systems, even just for the same client. This was needed in some RMMs, but not Syncro. Ransomware gets a hold of the password, they now have access to all systems.
That’s very good, defo going to implement that!
if you have an DC in your network jsut use LAPS