Vista - Changing the local admin password base on the computer's OU

Hello, I've been banging my head against the wall on this issue, hope
somone can help me out.
I have computers spread on several physical sites across the globe,
with a different OU for each site. I need to be able to change the
local admin password on each computer, depending on which OU it is a
part of.
The intent is to put thsi script in a GPO that runs everytime the
computer starts up, allowing us to cahnge local admin passwords pretty
easily.

Our AD is setup so that we have an OU for each site, then an OU for
computers in that site, then different OU's based on the department
the computer is part of (eg Real time 3D, Modeling, etc.)

This is what I've tried :

On Error Resume Next

' //////////////////////////////////////////////////////////////
' ///////////////////////// VARIABLES //////////////////////////
' //////////////////////////////////////////////////////////////

Dim WshNetwork, Sh, fso, WSHShell
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set Sh = WScript.CreateObject("WScript.Shell")
Set fso = WScript.CreateObject("Scripting.FileSystemObject")

ComputerName = WshNetwork.ComputerName

Set oGroup_TEST1 = GetObject("LDAP://CN=" & ComputerName &
",OU=TEST1,OU=Computers,OU=Modeling,DC=<domain>,DC=xx")
Set oGroup_TEST2 = GetObject("LDAP://CN=" & ComputerName &
",OU=TEST2,OU=Computers,OU=3D,DC=<domain>,DC=xx")

'Change the local admin pwd for OU TEST1
If oGroup_TEST1.IsMember("WinNT://<domain>/" & ComputerName) =
true Then
Set Shell = Wscript.CreateObject ("Wscript.Shell" )
strComputer = Shell.ExpandEnvironmentStrings ("%COMPUTERNAME
%" )
Set objUser = GetObject("WinNT://" & strComputer & "/
Administrator, user" )
objUser.SetPassword "TEST1"
objUser.SetInfo
End If

'Change the local admin pwd for OU TEST2
If oGroup_TEST2.IsMember("WinNT://<domain>/" & ComputerName) =
true Then
Set Shell = Wscript.CreateObject ("Wscript.Shell" )
strComputer = Shell.ExpandEnvironmentStrings ("%COMPUTERNAME
%" )
Set objUser = GetObject("WinNT://" & strComputer & "/
Administrator, user" )
objUser.SetPassword "TEST2"
objUser.SetInfo
End If

This doesn't seem to work though : no matter how many IF conditions I
set, the last one is always applied. i added a simple Echo telling me
which password was set and I could see that the password was actually
first changed to TEST1, then to TEST2 : it's as if the IF conditions
don't matter at all.

I'm not sure if the problem lies within my IF conditions or from the
GetObject, but I'm totally lost here.
i had a previous version of this script that instead made a check on
the computer's IP address to check with subnet it was part of
(different subnets for different sites) but we've decided to change
that in favor of an OU membership check.

Any help would be massively appreciated.

Hi, Myrddin,

I would have two recommendations:

1. Instead of "if <condition> = true then" you can use simply "if
<condition> then". It is easier to read/write and can cause less errors.
2. In your source you check two different conditions, which does not
necesserily make them alternative.
In other words, setting oGroup_TEST1 to something and then oGroup_TEST2 to
some other thing, would mean, that both conditions can be true:

=============
If oGroup_TEST1.IsMember("WinNT://<domain>/" & ComputerName) Then
....
End If

If oGroup_TEST2.IsMember("WinNT://<domain>/" & ComputerName) Then
....
End If
=============

In this case both condition bodies (...) will be executed.

If you want to make them alternative, then you have to use Elseif:

=============
If oGroup_TEST1.IsMember("WinNT://<domain>/" & ComputerName) Then
....
Elseif oGroup_TEST2.IsMember("WinNT://<domain>/" & ComputerName) Then
....
Elseif <other conditions..>
....
End If
=============

This snippet is guaranteed to execute only one of the actions, designated
with "...".
You can use as many Elseif-s as necessary.

Best Regards,
Vasil

"Myrddin" <MyrddinMT@xxxxxx> wrote in message
news:58d2752d-39a5-47cf-b9cd-8878be894b3f@xxxxxx

Hi again,

And maybe a third recommendation:

3. You can put the common code of the two IF-bodies in front of them, so you
do not have duplicate code. In case you have to change something, you would
do it only in 1 place, not in 2.
However, you should be careful that the 3 moved lines will be executed
always, regardless of the conditions (which does not seem to be a problem in
this current case).

Here is your modified code:

=================
Dim WshNetwork, Sh, fso, WSHShell
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set Sh = WScript.CreateObject("WScript.Shell")
Set fso = WScript.CreateObject("Scripting.FileSystemObject")

ComputerName = WshNetwork.ComputerName

' The following 3 lines are common for both conditions and executed before
them.
Set Shell = Wscript.CreateObject ("Wscript.Shell" )
strComputer = Shell.ExpandEnvironmentStrings ("%COMPUTERNAME%" )
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user" )

Set oGroup_TEST1 = GetObject("LDAP://CN=" & ComputerName &
",OU=TEST1,OU=Computers,OU=Modeling,DC=<domain>,DC=xx")
Set oGroup_TEST2 = GetObject("LDAP://CN=" & ComputerName &
",OU=TEST2,OU=Computers,OU=3D,DC=<domain>,DC=xx")

'Change the local admin pwd for OU TEST1
If oGroup_TEST1.IsMember("WinNT://<domain>/" & ComputerName) Then
objUser.SetInfo
objUser.SetPassword "TEST1"
ElseIf oGroup_TEST2.IsMember("WinNT://<domain>/" & ComputerName) Then
'Change the local admin pwd for OU TEST2
objUser.SetPassword "TEST2"
objUser.SetInfo
End If

=======================


"Vasil Bachvarov" <v_bachvarov@xxxxxx> wrote in message
news:go36fv$f3e$1@xxxxxx-ag.de...

On Feb 25, 11:39*am, "Vasil Bachvarov" <v_bachva...@xxxxxx>
wrote:Thanks for the reply.
I modified my code with your help, but I'm still getting the same
problem, no matter which OU the computer is in (test1, test2, xxx or
yyy etc.) it comes out as being in the first OU that the script tests
(test1 in this case, whereas the computer is actually in test2).

This leads me to think either the condition or the GetObject is wrong.

I've tried both of these with the same results :
Set oGroupe_TEST1 = GetObject("LDAP://CN=" & ComputerName &
",OU=TEST1, OU=Computers, OU=modeling,DC=<domain>,DC=xxx")
and
Set oGroupe_TEST1 = GetObject("LDAP://CN=" & ComputerName &
",OU=modeling,OU=Computers,OU=TEST1 ,DC=<domain>,DC=xxx")

My test OU's look like this :

TEST1
Computers
Modeling
3D
TEST2
Computers
Modeling
3D

I'm less and less sure about the if condition " If
oGroup_TEST1.IsMember("WinNT://<domain>/" & ComputerName) Then " but
I've been at this for a quite a while now and can't seem to be
objective anymore.

"Myrddin" <MyrddinMT@xxxxxx> wrote in message
news:de67ce58-eaa2-43ab-a448-f4011c82836e@xxxxxx
On Feb 25, 11:39 am, "Vasil Bachvarov" <v_bachva...@xxxxxx>
wrote:
====> Is the name of your domain actually "<domain>"? If not, then the code
you are showing is not exactly what you are running.


Thanks for the reply.
I modified my code with your help, but I'm still getting the same
problem, no matter which OU the computer is in (test1, test2, xxx or
yyy etc.) it comes out as being in the first OU that the script tests
(test1 in this case, whereas the computer is actually in test2).

This leads me to think either the condition or the GetObject is wrong.

I've tried both of these with the same results :
Set oGroupe_TEST1 = GetObject("LDAP://CN=" & ComputerName &
",OU=TEST1, OU=Computers, OU=modeling,DC=<domain>,DC=xxx")
and
Set oGroupe_TEST1 = GetObject("LDAP://CN=" & ComputerName &
",OU=modeling,OU=Computers,OU=TEST1 ,DC=<domain>,DC=xxx")

My test OU's look like this :

TEST1
Computers
Modeling
3D
TEST2
Computers
Modeling
3D

I'm less and less sure about the if condition " If
oGroup_TEST1.IsMember("WinNT://<domain>/" & ComputerName) Then " but
I've been at this for a quite a while now and can't seem to be
objective anymore.

====> Been there, done that.

The issue here is the same as your original problem: all of your tests give
a true result. This means that they are not testing the condition you think
they are testing.

I am surprised that your code is not throwing an error. These two statements
cannot possibly both return valid computer objects, as the indicated
computer cannot be in two different OU's:
Next, I do not know what it means to test for a computers membership in
anything other than a group, so I do not know what it means to test a
computer's membership in a WinNT-based object that appears to represent
itself.

I would suggest you modify the code to verify what the oGroup_test1 and etc
objects actually refer to.

/Al

"Myrddin" <MyrddinMT@xxxxxx> wrote in message
news:58d2752d-39a5-47cf-b9cd-8878be894b3f@xxxxxxMy Recommendations:

1. Do not use "On Error Resume Next". It makes troubleshooting nearly
impossible. I suspect your If (and End If) statements are ignored and the
code within each is running.

2. Your script appears to check for group membership. This will work if you
have one group for each OU, but it requires you to be sure that all
computers in the OU are members of the group. That seems more work than
necessary, and subject to error.

3. When you seem to bind to the groups, you are actually binding to the
computer objects, not a group. I would expect errors, but you don't see them
because of "On Error Resume Next". I suspect you do not have the required
groups.

4. When you check group membership you pass a WinNT provider ADsPath to an
object bound with the LDAP provider. That cannot work. I think all of these
If statements are being skipped.

5. The only reliable way to check which OU an object is in is to bind to the
object and use the Parent method to retrieve the ADsPath of the parent
OU/Container. Then you can compare the Distinguished Name of the Parent
object with the full Distinguished Name of the OU. Most any other method can
fail in certain conditions.

6. I see no reason to retrieve the value of the environment variable
%COMPUTERNAME%. This is the NetBIOS name of the computer, but so is
wshNetwork.ComputerName. When you bind to the group/computer objects you
assume that the common name of the computer is the same as the NetBIOS name.
This does not have to be, but probably is.

7. Finally, computer passwords can be changed in a Startup script, but there
are two potential downsides. First, it will run repeatedly. Second, you
never know when the password has been changed. I prefer changing computer
passwords remotely myself from my computer. This requires a bit more code,
and requires the computers to be running, but it can be coded so you can run
it repeatedly only on the computers that have not yet gotten the change
applied.

I'll post suggested code shortly, when I get a chance.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

A few more comments.

1. The SetPassword method is immediate, so there is no need to use the
SetInfo methed.

2. You don't need to know which OU the computer is in to bind to the local
Administrator user. This can happen outside any If/End If.

3. I use the ADSystemInfo object to retrieve the Distinguished Name of the
computer. This avoids assuming that the Common Name matches the NetBIOS
name.

Here is my suggestion if you do this in a Startup script, assuming you want
the password to depend on the OU the computer is in (rather than any group
membership). This has not been tested. Watch line wrapping.
=============
Option Explicit

Dim objSysInfo, objComputer, objParent, objNetwork, strComputer
Dim objLocalAdmin

' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to computer object with LDAP provider.
Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)

' Bind to the parent OU/Container object.
Set objParent = GetObject(objComputer.Parent)

' Bind to local Administrator user.
Set objLocalAdmin = GetObject("WinNT://" & strComputer &
"/Administrator,user")

' Check if computer in ou=Test1.
If (objParent.distinguishedName =
"ou=Test1,ou=Computers,ou=Modeling,dc=MyDomain,dc=com") Then
' Reset the password.
objLocalAdmin.SetPassword "TEST1"
End If

' Check if computer in ou=Test2.
If (objParent.distinguishedName =
"ou=Test2,ou=Computers,ou=Modeling,dc=MyDomain,dc=com") Then
' Reset the password.
objLocalAdmin.SetPassword "TEST2"
End If
=========
If I get a chance I'll post suggested code to change the computer passwords
remotely in bulk.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Hello,

Thanks for all the comments, I think my first mistake was to modify an
existing script created by my predecessor instead of creating one from
scratch.
I had my head so deep into it that I didn't see all the blatant errors
in it.

I just tried the script provided above, and it seems to work like a
charm, and you were right to assume that I need a specific password
for each OU, since they represent different physical sites

I'd be interested in your suggestions regarding changing the passwords
in bulk, even if the current method plainly meets our needs here.

Thanks again !

"Myrddin" <MyrddinMT@xxxxxx> wrote in message
news:2682c2a0-cf29-49c4-b551-b03a3b97c4dd@xxxxxxI've been thinking about this anyway. Rather than spending a lot time making
it more efficient I've modified code I already had for this situation. The
example below requires a text file with the Distinguished Names (DN's) of
the computers. The program creates another text file with the DN's of the
computers that were not available. You can rename the output file to make it
the input file when you run the program again. You can rerun the program
repeatedly until the output file is empty. You can use ADO to create the
original input file. See this link for details on using ADO to retrieve
information from AD:

http://www.rlmueller.net/ADOSearchTips.htm

This link is to a program that users ADO to retrieve the DN's of all users
in the domain and output to a specified text file:

http://www.rlmueller.net/Create%20User%20List%202.htm

You can modify this program to retrieve the DN's of all computers by
changing the ADO filter statements from:

' Filter on all users.
strFilter = "(&(objectCategory=person)(objectClass=user))"

To

' Filter on all computers.
strFilter = "(objectCategory=computer)"

You could run this program to create a text file of all computer DN's. The
program I show below skips any computers not in one of your specifed OU's.
Or, you can modify the program to only retrieve the DN's for computers in a
specified OU. For that you modify the base of the ADO search from the DNS
name of the domain to the DN of the OU. Instead of the following:

' Determine the DNS domain from the RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

use something similar to:

strDNSDomain = "ou=Test1,ou=Computers,ou=Modeling,dc=MyDomain,dc=com"

Finally, once you have text file of computer DN's, the program I suggest
(not tested) follows:
========
' Program to reset computer local Administrator passwords in bulk.
' Input file has one computer DN per line.
' Output file has DN's of computers that did not have password reset.
' After running this program, delete the input file and rename the
' output file as the new input file. Then you can later run the program
' again. Repeat until output file is empty.

Option Explicit

Dim strInputFile, objFSO, objInput, strOutputFile, objOutput
Dim strComputerDN, objComputer, objParent, strNTName
Dim objLocalAdmin, strParentDN

Const ForReading = 1
Const ForWriting = 2
Const OpenAsASCII = 0
Const CreateIfNotExist = True

' Specify input file of computer DN's.
strInputFile = "c:\scripts\Computers1.txt"

' Specify the output file.
strOutputFile = "c:\scripts\Computers2.txt"

' Open the input file for reading.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInput = objFSO.OpenTextFile(strInputFile, ForReading)

' Open the output file for writing.
Set objOutput = objFSO.OpenTextFile(strOutput, _
ForWriting, CreateIfNotExist, OpenAsASCII)

' Read each line of the input file.
Do Until objInput.AtEndOfStream
strComputerDN = Trim(objInput.ReadLine)
' Skip blank lines.
If (strComputerDN <> "") Then
' Bind to the computer object.
Set objComputer = GetObject("LDAP://" & strComputerDN)
' Retrieve the NetBIOS name of the computer.
strNTName = objComputer.sAMAccountName
' Remove trailing "$" character.
strNTName = Left(strNTName, Len(strNTName) - 1)
' Bind to the parent OU/Container object.
Set objParent = GetObject(objComputer.Parent)
' Retrieve DN of parent OU/Container.
strParentDN = objParent.distinguishedName
' Bind to the local Administrator user.
' Trap the error if the computer is not available.
On Error Resume Next
Set objLocalAdmin = GetObject("WinNT://" & strNTName &
"/Administrator,user")
If (Err.Number = 0) Then
' Determine password, based on DN of parent OU/Container.
Select Case strParentDN
Case "ou=Test1,ou=Computers,ou=Modeling,dc=MyDomain,dc=com"
strPassword = "xzy$321#q"
Case "ou=Test2,ou=Computers,ou=3D,dc=MyDomain,dc=com"
strPassword = "acb!987?q"
Case Else
' Skip this computer.
strPassword = ""
End Select
' Skip computers in other OU's.
If (strPassword <> "") Then
' Set password. Trap error if unable to.
On Error Resume Next
objLocalAdmin.SetPassword strPassword
If (Err.Number <> 0) Then
' Unable to set password.
' Alert user in case password is invalid
' or user lacks permissions.
Wscript.Echo "Unable to set password for " _
& strComputerDN
Wscript.Echo "Error Description: " & Err.Description
On Error GoTo 0
' Write DN to output text file.
objOutput.WriteLine strComputerDN
End If
On Error GoTo 0
End If
Else
On Error GoTo 0
' Computer not available (or DN wrong).
' Write DN to output text file.
objOutput.WriteLine strComputerDN
End If
End If
Loop

' Clean up.
objInput.Close
objOutput.Close
==========
This method takes more work to get the code right, but the advantages are:

1. You only reset each password once.
2. You know which passwords have been changed and which have not.
3. You can run it whenever you want (when the computers are most likely to
be available).
4. You know when the process is complete for all computers.
5. If anything unexpected goes wrong, you know about. In a Startup script
you don't.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--