Change local user account password - Windows
10 Votes |
Versioning - This is the latest version.
1 | Change local user account password - Windows | 12/5/2013 11:20:44 AM |
2 | Change local user account password - Windows | 12/6/2013 4:14:46 AM |
3 | Change local user account password - Windows | 12/6/2013 4:16:50 AM |
Description
Important Notes
-
You must enter a password in order to take an action
-
Because of the way secure parameters work, you cannot use this task in a baseline, target an action dynamically by property (e.g., automatic groups), use add additional actions.
Property Details
3670 | |
Production - Fully Tested and Ready for Production | |
Change local user account password - Windows | |
BESC | |
Accounts | |
0 | |
Internal | |
jbt8@psu.edu | |
5/3/2013 12:00:00 AM | |
user, net.exe, secure parameter, password | |
jbtyndall on 12/6/2013 4:16:50 AM | |
jbtyndall on 12/6/2013 4:16:50 AM | |
35277 Views / 1334 Downloads | |
* Average over 6 ratings. ** Log In or Register to add your rating. |
Relevance
Actions
Action 1 (default)
Action Link
Change specified local user account password.
Script Type
BigFix Action Script
action parameter query "username" with description "Please specify the name of an existing local user account"Success Criteria
waithidden "C:\Windows\System32\net.exe" user {parameter "username" of action} {parameter "secret" of action}
continue if {exit code of action = 0}
This action will be considered successful when all lines of the action script have completed successfully.
Sharing
Social Media: |
Comments
|
|
I made a couple tweaks to this fixlet. 1. I edited the .BES file I downloaded and changed it to a TASK from Fixlet, as it's not actually fixing anything based on relevance. 2. I restricted it from running on domain controllers "(not exists service "NTDS")" 3. I added actionscript logic to fail the action if the local account does not exist. action parameter query "username" with description "Please specify the name of an existing local user account" if {exists ((name of it as string as lowercase) of users) whose (it as string as lowercase contains parameter "username" of action)} waithidden "C:\Windows\System32\net.exe" user {parameter "username" of action} {parameter "secret" of action} continue if {exit code of action = 0} else exit 1 endif |
|
|
Recently used. Works very well. Thanks |
|
|
please post this query on forum.bigfix.com and tag @jgstew |
|
|
yes, that is possible. |
|
|
Would it be possible to script a fixlet that runs a powershell command to create local admin user without password ? waithidden "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" "New-LocalUser -Name MyNewLocalUserName -NoPassword" ? Then I can use MS LAPS via a GPO to generate the passwords and have them stored in AD |
|
|
please post to the BigFix Forums at forum.bigfix.com for help. Put @jgstew in the post, and I'll see it. |
|
|
Hello all i am new in bigfix idlike to ask how can i add input box in description like the one in this fixlet thanks in advance |
|
|
Robert Mullen, I suggest that you visit Https://Forum.bigfix.com and repost your query there. A very active group of contributors should be able to help you in no time. |
|
|
Robert Mullen, I suggest that you visit Https://Forum.bigfix.com and repost your query there. A very active group of contributors should be able to help you in no time. |
|
|
hey, im having issues using this fixlet.. I get the below error in the logs - any idea how I can fix? I have created a seperate fixlet that uses the same command all in plain text and that works - issue might be with the 'secret' part? Relevant - Change local user account password - Windows (fixlet:4521) At 11:59:07 +1000 - ActionLogMessage: (action:4521) Action signature verified for Execution ActionLogMessage: (action:4521) starting action At 11:59:07 +1000 - actionsite (http://VALIEMSUA.na.valmont.com:52311/cgi-bin/bfgather.exe/actionsite) Command started - waithidden "C:\Windows\System32\net.exe" user admin (parameter "secret" of action) (action:4521) At 11:59:08 +1000 - actionsite (http://VALIEMSUA.na.valmont.com:52311/cgi-bin/bfgather.exe/actionsite) Command succeeded (Exit Code=1) waithidden "C:\Windows\System32\net.exe" user admin (parameter "secret" of action) (action:4521) Command succeeded (evaluated false) continue if {exit code of action = 0} (action:4521) At 11:59:08 +1000 - ActionLogMessage: (action:4521) ending action At 11:59:08 +1000 - mailboxsite (http://VALIEMSUA.na.valmont.com:52311/cgi-bin/bfgather.exe/mailboxsite2688867) Not Relevant - Change local user account password - Windows (fixlet:4521) At 12:00:41 +1000 - |
|
|
Uploaded variation that includes a second dialog box to type password twice.The two password fields are then compared and must be the same before action will be created. http://bigfix.me/fixlet/details/6076 |
|
|
Suggest: add a second input box (secret2) and add in a check for theSecret==theSecret2 to insure the 2 password input boxes match. |
|
|
No, secret parameters can only be sent to specific machines because the secret is encrypted end to end. Basically the console has to know which computers to send the secret to and encrypts the secret with every clients public key individually at that moment, then sends out the actions to those client's mailbox site. This means the secret is not available anywhere at anytime except that each client can decrypt it and use it. |
|
|
Is any way how use secret parametr with target an action dynamically by property? |
|
|
This is, actually, really useful for passing other password related commands. I actually used this type of configuration to create a fixlet to deploy a change to the default password for Splunk Forwarders. Great stuff! |
|
|
This is great since the user management in the labs section of the console doesn't actually work. With Microsoft removing passwords from GPOs, we needed a way to set local accounts on machines. Thanks! |