Changing local Administrator account passwords on numerous servers and desktop PCs can be time-consuming. You can change passwords on a few servers manually, but if you're dealing with a lot of machines and long, complex passwords, changing passwords manually is burdensome. Furthermore, the possibility of someone incorrectly entering a password or putting a password on the wrong node is an ever-present risk. For security reasons, the somewhat-common practice of using the same password on several servers isn't ideal. To avoid these problems, you can buy third-party utilities to handle the task, or you can write a simple script that can do the job for free. For example, I wrote the script BulkChangePw.pl, which Listing 1, page 4, shows.
Using a Script to Create Passwords
Creating a lot of unique passwords can be challenging; people tend to think in terms of words or phrases, which often results in passwords that intruders can easily crack. (For some best practices to help you protect your Administrator accounts, see the Web sidebar "Best Practices for Secure Administrator Accounts," http://www.winscriptingsolutions.com, InstantDoc ID 25721.) The Roth Consulting Web site contains some excellent scripts. I used George Shaffer's Password.pl script (http://www.roth.net/perl/scripts/scripts.asp?password.pl) to generate strong, unique passwords. Password.pl includes configuration options that let you specify the number and length of passwords you need to generate. Because BulkChangePw.pl uses a Comma Separated Value (CSV) input file, be sure that you configure Password.pl to remove the comma (,) from the list of characters the script can use to create passwords. To fine-tune Password.pl's output to meet your requirements, install Perl, then download the script and run it from the command prompt. I used the command shell's quick-edit feature to copy a list of passwords into a Microsoft Excel spreadsheet.
Armed with an unlimited pool of unique passwords, you're ready to start building a CSV file to use as input for BulkChangePw.pl. For a change-password run, your CSV file should include a list of machine names in the first column, the renamed Administrator account names in the second column, the current machine passwords in the third column, and the new passwords that Password.pl generated in the fourth column. Each time you need to perform a new password-change run, move the new passwords from the previous run into the current-passwords column and insert another column of new passwords.
Retain a list of old passwords from the last several changes just in case a server is left off the network or otherwise neglected on earlier password-change runs. After you compile the list, save the file as a CSV file. Your file contents should look similar to the sample file contents that Figure 1 shows.
BulkChangePw.pl will parse the lines of the CSV file, use the file's information to change the passwords, and log the results. If you aren't familiar with Perl, BulkChangePw.pl can introduce you to Perl's powerful systems administration operations. The core code that changes the passwords uses the Win32::NetAdmin Perl module. (A Perl module is simply a utility that performs a specific function, similar to the way a resource kit tool performs a certain function.)
Code that runs an operation on several machines typically has three sections. The first section finds the list of machines on which the task will be performed. This list might come from an input file or another command. As callout A in Listing 1 shows, BulkChangePw.pl uses an input file (i.e., the CSV file) to obtain the server, account, and password information. The second section performs the task on each specified machine. As callout B shows, BulkChangePw.pl attempts to change the password on each machine. The third section reports the operation's success. The results might appear on screen, in an output file, or both. Displaying the results on screen gives the script operator feedback on a script run that's in progress and can reduce the possibility of someone accidentally closing a command-shell window and canceling a script run that's in progress. Logging results in an output file is beneficial when you need to examine the results closely or keep a record of the results. As callout C shows, I had BulkChangePw.pl log the results in addition to displaying them on screen. Using the log, I can examine individual password-change failures to determine whether the machine name was incorrect, the node was turned off, the account name was incorrect, or the old password was incorrect.
Making the Script Work
I wrote BulkChangePw.pl for changing passwords on Windows 2000 and Windows NT 4.0 servers and workstations. To get the script to work in your environment, follow these steps:
- Install Perl and the Win32::NetAdmin Perl module on the administrative PC or server on which you plan to run BulkChangePw.pl. You can obtain Perl from the ActiveState Web site (http://aspn.activestate.com//ASPN/Reference/Products/ActivePerl/faq/ActivePerl-faq2.html). Use the Perl Package Manager (PPM) to install the Win32::NetAdmin module. (The ActiveState Web site includes an explanation of how to use PPM.)
- Download BulkChangePw.pl from the Code Library on the Windows Scripting Solutions Web site (http://www.winscriptingsolutions.com).
- Create the CSV input file.
- Configure the location of the input and output files at the top of the script.
- Run the script in a small test environment on a few machines, then use the new passwords to log on to the machines locally to confirm that the script worked correctly.
In a production-server environment, administrators should test the local administration logon for each server after a password change. This task takes only a minute, but it can prevent major problems if the server's network connectivity breaks and you must log on locally. Determine whether this extra step is advisable in your environment.