Using Cusrmgr to Change Local Administrator Passwords

I need to change the local Administrator password on 50 computers within my domain. Can I automate this process?

Virtually all comprehensive enterprise network-administration tools can accomplish this task. If you want a small tool that performs only this function, consider a program such as Foghorn Security's Local Account Password Manager (LAPM). For details, visit http://www.foghornsecurity.com/lapm.

For a do-it-yourself solution, you can use the Microsoft Windows 2000 Server Resource Kit's Cusrmgr utility to remotely change the properties—including the password—of a Win2K or Windows NT 4.0 domain user account. To process account changes on multiple servers or workstations, you can use cusrmgr.exe from within a batch (i.e., .cmd or .bat) file. For example, to change the local Administrator password to mypass on the computers ws1 and ws2, you can run a batch file that includes the following commands:

cusrmgr.exe -u administrator -m \WS1 -P mypasscusrmgr.exe -u administrator -m \WS2 -P mypass

This example assumes that the Administrator account is still set to the default of Administrator and that you have administrative privileges on both systems. Also, the -P switch is case sensitive (the lowercase -p switch sets the account password to a random string).

You can use a slightly modified version of this batch file to rename the Administrator account and change its password simultaneously. For example, to rename the account to BigKahuna and change the password to mypass, run a batch file including the following commands:

cusrmgr.exe -u Administrator -m \WS1 -r BigKahuna -P mypasscusrmgr.exe -u Administrator -m \WS2 -r BigKahuna -P mypass

To accomplish your task, generate a list of the domain computers on which you want to change the local Administrator password, then save the results into a file. (You can use a utility such as Netdom—netdom.exe, available with the Win2K Support Tools or in the Microsoft Windows NT Server 4.0 Resource Kit—and a tiny bit of scripting to carry out this step. See http://www.jsiinc.com/subg/tip3400/rh3459.htm for an example of a batch file that uses Netdom to perform a similar task, or see Darren Mar-Elia, "10 Resource Kit Remote Administration Tools," April 2001, InstantDoc ID 20046, for more information about the tool.) Then, create a batch file that uses cusrmgr.exe to change the local Administrator account password for each computer in the list.