Giving Local Admin Rights when Local Admin Password has been Lost


By Chris Randles

Editor's Note: With ZENworks, there is often more than one way to accomplish an objective. In this case, another option would be to use the same technique to change the administrator's password, as shown in this Microsoft article.

This tip is for MS Windows Administrators in a ZENworks for Desktops environment.

How to give full local administrator rights to a local workstation account when the local Administrator's password has been lost, and without having access to an Administrative-level Domain account, a ZENworks dynamic local user policy (e.g. a domain workstation), or a third party utility (such as ERD commander).


  1. Create a ZENworks application object using ConsoleOne in the location of choice (in this case the object name chosen was 'Elevate'. Make sure your ConsoleOne has the correct version of the ZENworks for Desktops snapins for the version of ZENworks being used in your environment.

  • Enter the information shown in the screenshot to the 'Run Options – Application' tab.


Click to enlarge.

  • On the 'Run Options – Environment' tab, set the Execution security level to 'Run as unsecure system user'.


Click to enlarge.

  • All other settings can be left at default.

  • Associate the package to the Novell account you will be using from the problem workstation.

  • At the problem workstation, login to Novell and from the Novell Application Launcher 'launch' the application created. This will add the local windows user account to the local Administrators group.

  • Typing 'net localgroup administrators' at a DOS prompt should now show the logged in user as being a member of the Administrators group. (Note that the account will not have administrative access until a logout and login has been performed.)

  • Perform a logout on the workstation, then login again using the same local Windows account used previously.

  • The Windows account will now have full rights to the workstation and this will allow the Administrator's account password to be changed.

  • If you do not want the current logged-in Windows account to retain Administrative access to the local workstation you will need to remove that account from the Administrators group. If desired, you could create another ZENworks application which will remove the currently logged-in user from the Administrators group.

Environmental Factors and Pre-Requisites

  • The target workstations must have a working Novell client and ZENworks Agent installed.

  • This solution should work on any Windows2000 or WindowsXP workstation.

  • This solution should work on any workstation where the Novell Client is v4.83 > 4.9x

  • This solution should work in any ZENworks for Desktops environment from v3.x > v7.x and where the installed ZENworks agent is a correct version match for the environment.


How To-Best Practice
Comment List
  • 1) Remote Execute - runs as localsystem and gives permissions to either perform the commands above or a net user command to change the administrator's password

    2) Run the net user command in the same way as above - great for bulk password changing of your local administrator passwords if you think it has been leaked...
  • Another way is to make a User Policy w/ZENworks Dynamic Local User for a technician account with Administrator Rights and check Volatile. This will allow the technician to log in Locally with full rights, fix most anything locally (even modify local user rights) and log off w/o leaving behind the technicians account.
Related Discussions