Bulk Admin password change

Hello

We create a admin account for all our assets and would like to change all assets admin passwords in bulk. Does anyone know if a script is available to check for the existence of the admin account and if it is on the asset to change it to $password?

Thanks.

You could definitely do it - I’ve got code that will check if a local account username/password combo is valid, and from there you could build it out.

  • Check Local Account Exists
  • Create it if it doesn’t
  • Check it is in the expected group
  • Fix it if it isn’t
  • Check the user account is
    • Enabled
    • Unlocked
    • Password is correct
  • Fix them if they aren’t right
  • May want to configure “Special account” to hide the user from the Lock Screen menus

etc, and fix if they aren’t right.

FYI though - any password passed from Syncro will be hidden in the Portal - but can be visible in the PowerShell output if you are not careful how to

1 Like

The security issue that Kevin has mentioned still stands but…

If you create a custom field for each customer “LocalAdminPassword” and give it a value you can then script the creation of a local admin using that custom value.
Make sure to add a platform variable that uses the custom field.

 $password = ConvertTo-SecureString $LocalAdminPassword  -AsPlainText -Force
    New-LocalUser -Name "AdminAccountName" -Password $password -Description "Local Admin Account" -ErrorAction Stop
     Write-Host "Local User AdminAccountName Has Been Added"
     Log-Activity -Message "Local User AdminAccountName Has Been Added" -EventName "Local User AdminAccountName Has Been Added"
    Add-LocalGroupMember -Group "Administrators" -Member "AdminAccountName"
     Write-Host "Local User AdminAccountName Has Been Upgraded To Admin"
     Log-Activity -Message "Local User AdminAccountName Has Been Upgraded To Admin" -EventName "Local User AdminAccountName Has Been Upgraded To Admin"
   
1 Like

There’s one in the community library to randomize it. I run it weekly. I wouldn’t use the same password across all systems, even just for the same client. This was needed in some RMMs, but not Syncro. Ransomware gets a hold of the password, they now have access to all systems.

2 Likes

That’s very good, defo going to implement that!
Thanks Jimmie!

Looks good. Thanks

I will give it a try.

if you have an DC in your network jsut use LAPS

1 Like

Hi,
what type of custom field are you using? Secret or just a text field?
If secret - will the script automatically decrypt the field with the Password Vault pass phrase?
Thank you.

Hello Frank,

We’re using the custom fields for the customer and not within the asset so it doesn’t give us the option to use a password field.
image

We haven’t used the secure field anywhere else so I’m not able to be of any help regarding it’s encryption/decryption.