Print - Using Cusrmgr to Change Local Administrator Passwords

I need to change the local Administrator password on 50 computers within my domain. Can I automate this process?

Virtually all comprehensive enterprise network-administration tools can accomplish this task. If you want a small tool that performs only this function, consider a program such as Foghorn Security's Local Account Password Manager (LAPM). For details, visit http://www.foghornsecurity.com/lapm.

For a do-it-yourself solution, you can use the Microsoft Windows 2000 Server Resource Kit's Cusrmgr utility to remotely change the properties—including the password—of a Win2K or Windows NT 4.0 domain user account. To process account changes on multiple servers or workstations, you can use cusrmgr.exe from within a batch (i.e., .cmd or .bat) file. For example, to change the local Administrator password to mypass on the computers ws1 and ws2, you can run a batch file that includes the following commands:

cusrmgr.exe -u administrator -m \\WS1 -P mypass
cusrmgr.exe -u administrator -m \\WS2 -P mypass

This example assumes that the Administrator account is still set to the default of Administrator and that you have administrative privileges on both systems. Also, the -P switch is case sensitive (the lowercase -p switch sets the account password to a random string).

You can use a slightly modified version of this batch file to rename the Administrator account and change its password simultaneously. For example, to rename the account to BigKahuna and change the password to mypass, run a batch file including the following commands:

cusrmgr.exe -u Administrator -m \\WS1 -r BigKahuna -P mypass
cusrmgr.exe -u Administrator -m \\WS2 -r BigKahuna -P mypass

To accomplish your task, generate a list of the domain computers on which you want to change the local Administrator password, then save the results into a file. (You can use a utility such as Netdom—netdom.exe, available with the Win2K Support Tools or in the Microsoft Windows NT Server 4.0 Resource Kit—and a tiny bit of scripting to carry out this step. See http://www.jsiinc.com/subg/tip3400/rh3459.htm for an example of a batch file that uses Netdom to perform a similar task, or see Darren Mar-Elia, "10 Resource Kit Remote Administration Tools," April 2001, InstantDoc ID 20046, for more information about the tool.) Then, create a batch file that uses cusrmgr.exe to change the local Administrator account password for each computer in the list.

I have created the batch file and it does run, however the local admin password does not change. What am I doing wrong? Help is needed. Thank you.

Sean Daily's Tricks & Traps: "Daily Answers" (April 2002, InstantDoc ID 24210) describes a way to use the Microsoft Windows 2000 Server Resource Kit's Cusmgr utility to change local Administrator passwords in bulk. Here's what I suggest: Create a batch file similar to the one the author describes in the article, but run the batch file as a domain group policy under the computer configuration startup scripts. This solution doesn't require a list of machine names.

Hi, I have try cusrmgr to change local administrator password in my server but no success if I use one or two @ in password. Help is needed. Thank you.

I have a question, is there a way of getting the results of this to pip to a text file so you know which machines it may have run on and which ones it didn't? It's too much to think that it would succeed on all machines, first time and it would be good to have the results of exactly what failed.

This was MOST EXCELLENT! Thanks for giving me the info I needed so I DIDNT have to change PWs on about 400 machines. Thanks!

I found a nice utility that automates this process, "Batch User Manager" from a company called ZenSoft: http://www.zensoft.com/utilities_system_bum.html It's a simple point-and-click solution. It creates a log file of all the changes, too, for auditing purposes.

this doesnot work in my pc it gives the error named "'cusrmgr.exe' is not recognized as an internal or external command, operable program or batch file."

What everyone, including the author, failed to mention is a very important prerequisite: File and Printer Sharing must be installed and enabled on the computers where you want to change the passwords. I install File and Printer Sharing on every PC in my domain, BUT only enable it on those that actually have something to share. So this command (cusrmgr) doesn't really help so much. Unfortunately, many tools and utilities require this, and many articles here and at the MSKB and elsewhere just assume that if you have a domain then you must have F&PS enabled. That's just not the case. (I mean, why should I have all those ADMIN$ and C$ shares out there for people to hack at?) The frustrating thing is that they don't even bother to mention that you have to have F&PS enabled. I know this comment is coming 3 years after the original article. I'm just so frustrated with finding new tools that can do great things, but then don't work. Then I have to spend my time researching and experimenting only to learn that either F&PS has to be enabled, or services x, y, and z have to be running. It would just really be nice if everyone in IT (including Microsoft) would clearly state a tool's prerequisites up front without making any assumptions. Sorry for venting.. I feel better now.

I heartily second Micheals comments above. Along the same lines, I can't tell you how many times I've nearly blown a fuse after learning that a software package or utility requires NetBIOS to function properly. SIX FREAKIN' YEARS after it was supposedly made unnecessary with the release of Windows 2000. I believe the active directory migration tool falls into this category.