Powershell Change The Local Administrator Account/Password

Back in May of 2014 Microsoft released a windows update – MS14-025 – that removed the ability to push out passwords to workstations remotely using group policy due to issues with elevation of privilege. If that patch is applied it’s a rather large pain to change the local admin after that without something like SCCM in place.

After working through some similar issues and reading a few TechNet Articles I decided to build a quick and slightly dirty powershell script to do several things as needed. This particular script does the following:

  1. Renames the Administrator Account on a specified computer.
  2. Resets the password of that account on the specified computer.
  3. Enables or Disables the default Administrator account.
  4. Creates a Dummy Account called “Administrator” that has no rights with a static password of “P@ssword1”

What this script DOESNT do:

  1. Provide flexibility to if the password is set to expire or not.
  2. Encrypt well, anything. It’s all in raw plain text. Some other day I might go back and encrypt the password that is sent to the local administrator account.
  3. Currently process a list of computers – It could though the logic is there just not tested and used.

$computers = Read-Host “What is the Computer Name?” #Enter the name of the computer you would like to modify
$userPW = Read-Host “What is the Password you would like to set?” #Enter the password you would like to set for the Administrator account.
$CurrentAdmin = Read-Host “What is the Current Administrator Name?” #Enter the name of the current administrator account.
$DisableDefaultAdminAccount = Read-Host “If you like to Enable the Default Administrator Account enter 0. If you would like to DISABLE the account enter 2” #Enter the status you would like the Administrator account to have. Enabled or Disabled.
foreach ($computer in $computers) { #This doesn’t need to be a function, I left it like this as it doesn’t hurt anything and if I Wanted to come back and actually create a LIST of computers I could.
if (test-connection -computername $computer -quiet) {
try {
$localAdmin = [ADSI](“WinNT://” + $computer + “/” + $CurrentAdmin + “,User”)
if($DisableDefaultAdminAccount -eq ‘0’){
$LocalAdmin.UserFlags = 65536 # UserFlags Value for the account to be active with a password set to never expire.
$localAdmin.CommitChanges() # Commit the change
Else {
$LocalAdmin.UserFlags = 66083 #UserFlags Value for the account to be Disabled with password set to never expire.
$localAdmin.CommitChanges() # Commit the change
Write-Host “Successfully Renamed Administrator Account on $computer” -fore green
$ObjComputer = [ADSI](“WinNT://” + $Computer)
$DummyUser = $OBJComputer.Create(“User”, “Administrator”)
$DummyUser.SetInfo() #Commit this change of a new account with this password to the SAM DB – this makes the account visable and actable upon
$DummyUser.Description = “Dummy Account” #Update the description of the account once commited to SAM
$DummyUser.UserFlags = 66083
$DummyUser.CommitChanges() # Commit the change of disabled and the description.
Write-Host “Successfully Created Administrator Account on $computer” -fore green
catch {
Write-Host “$_” -fore red
else {
Write-Host “Ping Failed to” $computer

Some other future developments may include randomizing the password that is provided encrypting it and storing it somewhere.

Please note as with everything posted here this is published as is and doesn’t promise support or that it will work well or properly even within your environment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: