Bulk Admin password change

itaddicts · November 21, 2021, 2:30pm

Hello

We create a admin account for all our assets and would like to change all assets admin passwords in bulk. Does anyone know if a script is available to check for the existence of the admin account and if it is on the asset to change it to $password?

Thanks.

KevinC · November 22, 2021, 9:37am

You could definitely do it - I’ve got code that will check if a local account username/password combo is valid, and from there you could build it out.

Check Local Account Exists
Create it if it doesn’t
Check it is in the expected group
Fix it if it isn’t
Check the user account is
- Enabled
- Unlocked
- Password is correct
Fix them if they aren’t right
May want to configure “Special account” to hide the user from the Lock Screen menus

etc, and fix if they aren’t right.

FYI though - any password passed from Syncro will be hidden in the Portal - but can be visible in the PowerShell output if you are not careful how to

luke1 · November 22, 2021, 4:06pm

The security issue that Kevin has mentioned still stands but…

If you create a custom field for each customer “LocalAdminPassword” and give it a value you can then script the creation of a local admin using that custom value.
Make sure to add a platform variable that uses the custom field.

 $password = ConvertTo-SecureString $LocalAdminPassword  -AsPlainText -Force
    New-LocalUser -Name "AdminAccountName" -Password $password -Description "Local Admin Account" -ErrorAction Stop
     Write-Host "Local User AdminAccountName Has Been Added"
     Log-Activity -Message "Local User AdminAccountName Has Been Added" -EventName "Local User AdminAccountName Has Been Added"
    Add-LocalGroupMember -Group "Administrators" -Member "AdminAccountName"
     Write-Host "Local User AdminAccountName Has Been Upgraded To Admin"
     Log-Activity -Message "Local User AdminAccountName Has Been Upgraded To Admin" -EventName "Local User AdminAccountName Has Been Upgraded To Admin"

Jimmie · November 22, 2021, 4:16pm

There’s one in the community library to randomize it. I run it weekly. I wouldn’t use the same password across all systems, even just for the same client. This was needed in some RMMs, but not Syncro. Ransomware gets a hold of the password, they now have access to all systems.

luke1 · November 22, 2021, 5:47pm

That’s very good, defo going to implement that!
Thanks Jimmie!

itaddicts · November 22, 2021, 9:06pm

Looks good. Thanks

I will give it a try.

itnextg · February 21, 2022, 5:32pm

if you have an DC in your network jsut use LAPS

frank2 · December 26, 2022, 4:40pm

Hi,
what type of custom field are you using? Secret or just a text field?
If secret - will the script automatically decrypt the field with the Password Vault pass phrase?
Thank you.

luke1 · January 3, 2023, 10:17am

Hello Frank,

We’re using the custom fields for the customer and not within the asset so it doesn’t give us the option to use a password field.

We haven’t used the secure field anywhere else so I’m not able to be of any help regarding it’s encryption/decryption.