Quick Thoughts

Securely change local administrator password via SCCM

If you follow security best practices you surely update your local administrator password from time to time.

There are no free easy solutions to achieve this but I will demonstrate here how to accomplish the update of the local administrator password using SCCM and PowerShell in a way that's more secure than updating it via GPP or SCCM using just plain text scripts.

The following is the script we are going to use to encrypt the script which will update the local administrator password and contains the new password. I'm going to named it Encrypt.ps1

param($decrypted,$encrypted)

 $key = (1,0,5,9,56,34,254,211,4,4,2,23,42,54,33,200,1,34,2,7,6,9,35,37)
 $script = Get-Content $decrypted | Out-String
 $secure = ConvertTo-SecureString $script -asPlainText -force
 $export = $secure | ConvertFrom-SecureString -key $key
 Set-Content $encrypted $export
 "Script '$decrypted' has been encrypted as '$encrypted'"

Note that we are using a key which will be used to encrypt and decrypt the script that will update the local administrator password.

The following is the script which does the password change which we are going to encrypt with the script above. I'm going to name it ChangePass.ps1

$computer = $env:COMPUTERNAME
$pass = "NewPassword"
$user = "Administrator"
$newpass = [ADSI]"WinNT://$computer/$user,user"
$newpass.SetPassword($pass)
$newpass.SetInfo()

Next is the script used to decrypt the script above and run it. I'm going to name it Decrypt.ps1

param($key)
$key = @($key.split(","))
$raw = Get-content .\Encrypted.bin
$secure = ConvertTo-SecureString $raw -key $key
$helper = New-Object System.Management.Automation.PSCredential("Temp",$secure)
$plain = $helper.GetNetworkCredential().Password
Invoke-Expression $plain

Ok so now we have the 3 scripts required. The next steps are instructions on how to put all together.

First run the Encrypt.ps1 script to encrypt the ChangePass.ps1 script as below.

.\Encrypt.ps1 C:\ChangePass.ps1 C:\Encrypted.bin

OK so now you have all files required to create the SCCM package. The source files of the new package will be Decrypt.ps1 and Encrypted.bin

The command line of the program will be as the following:

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File Decrypt.ps1 1,0,5,9,56,34,254,211,4,4,2,23,42,54,33,200,1,34,2,7,6,9,35,37

The last thing to do is to import these into SCCM and deploy them to machine where you which to change the admin password.