We create a admin account for all our assets and would like to change all assets admin passwords in bulk. Does anyone know if a script is available to check for the existence of the admin account and if it is on the asset to change it to $password?
You could definitely do it - I’ve got code that will check if a local account username/password combo is valid, and from there you could build it out.
Check Local Account Exists
Create it if it doesn’t
Check it is in the expected group
Fix it if it isn’t
Check the user account is
Enabled
Unlocked
Password is correct
Fix them if they aren’t right
May want to configure “Special account” to hide the user from the Lock Screen menus
etc, and fix if they aren’t right.
FYI though - any password passed from Syncro will be hidden in the Portal - but can be visible in the PowerShell output if you are not careful how to
The security issue that Kevin has mentioned still stands but…
If you create a custom field for each customer “LocalAdminPassword” and give it a value you can then script the creation of a local admin using that custom value.
Make sure to add a platform variable that uses the custom field.
$password = ConvertTo-SecureString $LocalAdminPassword -AsPlainText -Force
New-LocalUser -Name "AdminAccountName" -Password $password -Description "Local Admin Account" -ErrorAction Stop
Write-Host "Local User AdminAccountName Has Been Added"
Log-Activity -Message "Local User AdminAccountName Has Been Added" -EventName "Local User AdminAccountName Has Been Added"
Add-LocalGroupMember -Group "Administrators" -Member "AdminAccountName"
Write-Host "Local User AdminAccountName Has Been Upgraded To Admin"
Log-Activity -Message "Local User AdminAccountName Has Been Upgraded To Admin" -EventName "Local User AdminAccountName Has Been Upgraded To Admin"
There’s one in the community library to randomize it. I run it weekly. I wouldn’t use the same password across all systems, even just for the same client. This was needed in some RMMs, but not Syncro. Ransomware gets a hold of the password, they now have access to all systems.
Hi,
what type of custom field are you using? Secret or just a text field?
If secret - will the script automatically decrypt the field with the Password Vault pass phrase?
Thank you.