Related Tips & Info

Use ZMAN Scripting to Change Local Admin Password on Multiple Workstations in a Zone

MigrationDeletedUser
0 Likes
The script is quite simple (13 lines w/out the comments), however it alot of work in a little bit of code. It can be used to automate the changing of a local administrator account on all workstations associated to the bundle to a random 10 character alpha-numeric password. This should not totally replace the local administrator account, but can be used to create a secondary account that the password can be given out, without concern of it being used for long periods of time. The random.sh script can be run at any time to manually update the password.

I have included the script content as well as the bundle xml files which can be imported and altered if necessary. First off here are all the files, what they do, and where they should be located.

randompw\bundles\password.xml - bundle export xml file - Should be copied to server and them imported into ZENworks Configuration Management via ZMAN bc (example ZMAN bc "password" password.xml /Bundles/Security). Note: has to be created in /Bundles/Security, if you wish to create in a different location, the random.sh needs to be altered accordingly. This can be deleted after import

randompw\bundles\showtempadmin.xml - bundle export xml file - Should be copied to server and them imported into ZENworks Configuration Management via ZMAN bc (example ZMAN bc "showtempadmin"showtempadmin.xml /Bundles/Security -a=showtempadmin_ActionContentInfo.xml). Note: has to be created in /Bundles/Security, if you wish to create in a different location, the random.sh needs to be altered accordingly. This can be deleted after import

randompw\bundles\showtempadmin_ActionContentInfo.xml - bundle content export file - This is used in conjunction with the showtempadmin bundle import described above, you do not need to worry about this. This can be deleted after showtempadmin import

randompw\bundles\pw.txt - bundle content export file - This is the password history file that will be downloaded to the admin workstations when showtempadmin is run, it is empty currently. This is used in conjunction with the showtempadmin bundle import described above, you do not need to worry about this. This can be deleted after showtempadmin import

randompw\random.sh - Shell script - This is the script (see below for script content) that performs all of the bundle changes needed to change the password, add the password history to the pw.txt file and change the version so the new version runs. It can be scheduled via CRON to run however often you deem necessary. This needs to be located in /bin/randompw

randompw\changepw.xml - bundle action export file- This is the original export of the password change action in the password bundle, which random.sh will replace with a new password into changepw2.xml. There is no need to change this file unless you want to change the location in ZCM or change the local admin you are altering. This needs to be located in /bin/randompw

randompw\changepw2.xml - bundle action export file- This is the new modified export of the password change action in the password bundle, which random.sh will upload into the password bundle. There is no need to change this file unless you want to change the location in ZCM or change the local admin you are altering. This needs to be located in /bin/randompw

randompw\pw.txt - password txt file - This is the password history file that will be uploaded into the content repo. This will grow over time, and will also download to the admin workstations when showtempadmin is run. Note: This will contain ALL the password history for this account, and should be kept in a secure location on the server and on the help desk workstations. It only contains local administrator passwords, but should be guarded. This is used in conjunction with the showtempadmin bundle import described above, you do not need to worry about this. This needs to be located in /bin/randompw

randompw\showtempadminaction.xml - bundle action export file - This is the original export of the showtempadmin action in the showtempadmin bundle, which random.sh will replace with a the updates pw.txt, uploads it to the content repo and versions the bundle. There is no need to change this file unless you want to change the location in ZCM.

randompw\showtempadminaction_ActionContentInfo.xml - bundle action content export file - This is used in conjunction with the showtempadminaction bundle action import described above, you do not need to worry about this. This needs to be located in /bin/randompw

steps to install script.

1. Create a secondary local administrator user on all workstations (a simple bundle can be made to do this using the NET user temp admin password /add command followed by the net localgroup administrators /add tempadmin)

2. Copy the content of the randompw.zip file to /bin/

3. Import the bundles in /bin/randompw/bundles

4. Delete /bin/randompw/bundles

5. Associate password bundles to all workstation to force run on refresh

6. Associate showtempadmin to help desk accounts

7. Schedule or run /bin/randompw/random.sh to run

8. TEST TEST TEST!!!

random.sh script content

#!/bin/bash
#declare pw,pwver variable,username,password
#define user variables
username="ZCMADMINACCOUNT"
password="ZCMADMINPASSWORD"
#Create 10 character alphanumeric password
pw="$(cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 1)"
#Replace the password in the exported bundle action
sed 's/user tempadmin.*changepw2.xml
#Remove bundle action containing old password
zman bra /bundles/security/password Launch 1 -U=$username -P=$password > /dev/null
#Add bundle action with new password to bundle
zman baa /bundles/security/password /bin/randompw/changepw2.xml -U=$username -P=$password > /dev/null
#Increment version of bundle and store new version number in variable for admin bundle
pwver="$(zman biv /bundles/security/password -U=$username -P=$password | cut -d "\"" -f6)"  
zman biv "/bundles/Security/Restrict Local Admin" -U=$username -p=$password > /dev/null
#Append new version number and password to pw.txt file
echo $pwver"     -     "$pw >> pw.txt
#Remove old file install action from showtempadmin bundle
zman bra /bundles/security/showtempadmin Launch 1 -U=$username -P=$password > /dev/null
#Add file install action and import new pw.txt file to content-repo
zman baa /bundles/security/showtempadmin /bin/randompw/showtempadminaction.xml -a=showtempadminaction_ActionContentInfo.xml -U=$username -P=$password > /dev/null
#Reorder actions in bundle so file install is at position 1 and wordpad launch is at 2
zman broa /bundles/security/showtempadmin Launch 2 1 -U=$username -P=$password > /dev/=null
#Increment version so that new pw.txt is installed on next launch
zman biv /bundles/security/showtempadmin -U=$username -P=$password > /dev/null



randompw.zip

Labels:

How To-Best Practice
Comment List

  • Something I might suggest depending on the scenario was recommended to me, create a script to set/change local password and then compile into an exe. Take precaution with the exe because they can potentially be decomplied/analyzed (minimize access and/or time deployed on system).

Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.