Change local user account password - Windows
Log In or Register to download the BES file, and more.

10 Votes

Versioning - This is the latest version.

1Change local user account password - Windows12/5/2013 11:20:44 AM
2Change local user account password - Windows12/6/2013 4:14:46 AM
3Change local user account password - Windows12/6/2013 4:16:50 AM

Description

Important Notes

  • You must enter a password in order to take an action
  • Because of the way secure parameters work, you cannot use this task in a baseline, target an action dynamically by property (e.g., automatic groups), use add additional actions.

Property Details

ID3670
StatusProduction - Fully Tested and Ready for Production
TitleChange local user account password - Windows
DomainBESC
CategoryAccounts
Download Size0
SourceInternal
Source IDjbt8@psu.edu
Source Release Date5/3/2013 12:00:00 AM
Keywordsuser, net.exe, secure parameter, password
Added by on 12/6/2013 4:16:50 AM
Last Modified by on 12/6/2013 4:16:50 AM
Counters 35277 Views / 1334 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 6 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1152 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 77 fixlets and 6 analyses   * Results in a true/false
Show indented relevance
version of client >= "9.0"

Actions

Action 1 (default)

Action Link Change  specified local user account password.
Script Type BigFix Action Script
action parameter query "username" with description "Please specify the name of an existing local user account"

waithidden "C:\Windows\System32\net.exe" user {parameter "username" of action} {parameter "secret" of action}

continue if {exit code of action = 0}
Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
DerrickD -
I made a couple tweaks to this fixlet. 1. I edited the .BES file I downloaded and changed it to a TASK from Fixlet, as it's not actually fixing anything based on relevance. 2. I restricted it from running on domain controllers "(not exists service "NTDS")" 3. I added actionscript logic to fail the action if the local account does not exist. action parameter query "username" with description "Please specify the name of an existing local user account" if {exists ((name of it as string as lowercase) of users) whose (it as string as lowercase contains parameter "username" of action)} waithidden "C:\Windows\System32\net.exe" user {parameter "username" of action} {parameter "secret" of action} continue if {exit code of action = 0} else exit 1 endif
Shahzad.Habeeb -
Recently used. Works very well. Thanks
jgstew -
please post this query on forum.bigfix.com and tag @jgstew
jgstew -
yes, that is possible.
yandiel4ever -
Would it be possible to script a fixlet that runs a powershell command to create local admin user without password ? waithidden "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" "New-LocalUser -Name MyNewLocalUserName -NoPassword" ? Then I can use MS LAPS via a GPO to generate the passwords and have them stored in AD
jgstew -
please post to the BigFix Forums at forum.bigfix.com for help. Put @jgstew in the post, and I'll see it.
gabrich -
Hello all i am new in bigfix idlike to ask how can i add input box in description like the one in this fixlet thanks in advance
Tim.Rice -
Robert Mullen, I suggest that you visit Https://Forum.bigfix.com and repost your query there. A very active group of contributors should be able to help you in no time.
Tim.Rice -
Robert Mullen, I suggest that you visit Https://Forum.bigfix.com and repost your query there. A very active group of contributors should be able to help you in no time.
robertmullen -
hey, im having issues using this fixlet.. I get the below error in the logs - any idea how I can fix? I have created a seperate fixlet that uses the same command all in plain text and that works - issue might be with the 'secret' part? Relevant - Change local user account password - Windows (fixlet:4521) At 11:59:07 +1000 - ActionLogMessage: (action:4521) Action signature verified for Execution ActionLogMessage: (action:4521) starting action At 11:59:07 +1000 - actionsite (http://VALIEMSUA.na.valmont.com:52311/cgi-bin/bfgather.exe/actionsite) Command started - waithidden "C:\Windows\System32\net.exe" user admin (parameter "secret" of action) (action:4521) At 11:59:08 +1000 - actionsite (http://VALIEMSUA.na.valmont.com:52311/cgi-bin/bfgather.exe/actionsite) Command succeeded (Exit Code=1) waithidden "C:\Windows\System32\net.exe" user admin (parameter "secret" of action) (action:4521) Command succeeded (evaluated false) continue if {exit code of action = 0} (action:4521) At 11:59:08 +1000 - ActionLogMessage: (action:4521) ending action At 11:59:08 +1000 - mailboxsite (http://VALIEMSUA.na.valmont.com:52311/cgi-bin/bfgather.exe/mailboxsite2688867) Not Relevant - Change local user account password - Windows (fixlet:4521) At 12:00:41 +1000 -
brolly33 -
Uploaded variation that includes a second dialog box to type password twice.The two password fields are then compared and must be the same before action will be created. http://bigfix.me/fixlet/details/6076
brolly33 -
Suggest: add a second input box (secret2) and add in a check for theSecret==theSecret2 to insure the 2 password input boxes match.
jgstew -
No, secret parameters can only be sent to specific machines because the secret is encrypted end to end. Basically the console has to know which computers to send the secret to and encrypts the secret with every clients public key individually at that moment, then sends out the actions to those client's mailbox site. This means the secret is not available anywhere at anytime except that each client can decrypt it and use it.
roman.sobota -
Is any way how use secret parametr with target an action dynamically by property?
jimwald -
This is, actually, really useful for passing other password related commands. I actually used this type of configuration to create a fixlet to deploy a change to the default password for Splunk Forwarders. Great stuff!
tewebbjr -
This is great since the user management in the labs section of the console doesn't actually work. With Microsoft removing passwords from GPOs, we needed a way to set local accounts on machines. Thanks!