Server Local Admin Password Audit

Written on November 24, 2011

A situation arose where I had to check all our Windows servers to see if any were using a particular local administrator password. I wrote the following script to allow me to test a dynamically generated set of credentials. It uses WMI because that allows specifying a particular set of credentials and is relatively lightweight in comparison to other tests.

# Generate a secure string with the password stored in it. Alternatively you could prompt the user
$pass = ConvertTo-SecureString -AsPlainText -Force -String "Pa55w0rdToTest"
# What username should be tested?
$username = "Administrator"
# Find every computer in AD running an operating system with "Server" in its name.
foreach ($server in $(Get-ADComputer -Filter {OperatingSystem -like "*Server*"})) {
  # Make sure the server can be contacted
  if (Test-Connection $server.Name -Quiet) {
    # Build a local administrator credential
    $credential = New-Object System.Management.Automation.PSCredential("$($server.Name)\$username",$pass)
    # Try to connect to the computer with the credential
    try {
      $null = Get-WmiObject Win32_OperatingSystem -Credential $credential -ComputerName $server.Name
      Write-Host "$($server.Name) :: Success" -ForegroundColor Green -BackgroundColor Black
    } catch { Write-Host "$($server.Name) :: Fail" -ForegroundColor Red -BackgroundColor Black }
  }
}

Comments/questions

There's no commenting functionality here. If you'd like to comment, please either mention me (@[email protected]) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.