Share via

change local Administrator Password remotely using PowerShell script

SSE@TUE 320 Reputation points
2026-03-09T10:10:02.7066667+00:00

Hi,

I have 100 Clients machine and want to change local Administrator password remotely and using Power shell script. I have an PS and it works locally fine, but not remotely.

What I want, is following:

  1. the script should be able to change local admin on 100 clients remotely
  2. the input and output should be shared folder( $inFile and $outFile)

Any Idea how can I do that?

Thank you for help

       Try {
            $newPassword = Get-RandomPassword -Length 12
            $account = [ADSI]("WinNT://$($computer)/Administrator")
            [void]$account.psbase.Invoke('setpassword', $newPassword)
            $result.Status = 'OK'
            $result.NewCredentials = $newPassword
        } Catch {
            $result.Status = 'ERROR'
            $result.Error = $_.Exception.Message
       
            }
Windows for business | Windows Server | User experience | PowerShell
0 comments
Answer accepted by question author
  1. Tracy Le 3,555 Reputation points Independent Advisor
    2026-03-09T14:54:25.5766667+00:00

    Hi SSE@TUE,

    Thanks for sharing the updated script and the error message. That AccessDenied, PSSessionStateBroken error actually tells us exactly what is stopping the connection.

    When using Invoke-Command, Windows Remote Management (WinRM) strictly requires the connecting user to have administrative privileges on the target machines. To get past this, please double-check these two things:

    1. Authentication: Make sure you are launching your PowerShell console as an Administrator (right-click -> Run as Administrator). More importantly, the account you are logged in with must be a member of the Local Administrators group on those 100 client machines (typically, a Domain Admin account). If you need to use a specific, different admin account to connect to those clients, you will need to add the -Credential parameter to your Invoke-Command.
    2. Clean up the leftover code: Looking closely at your updated script, I noticed you left the old [void]$account.psbase.Invoke('setpassword', $newPassword) line right below the new Invoke-Command block. Since we are no longer querying the $account variable, that line will definitely throw an error and needs to be deleted.

    To make sure everything is perfectly aligned, your Try block should look exactly like this (with the old lines completely removed):

    Try {
    $newPassword = Get-RandomPassword -Length 12
    Invoke-Command -ComputerName $computer -ScriptBlock {
        param($pwd)
        $securePwd = ConvertTo-SecureString $pwd -AsPlainText -Force
        Set-LocalUser -Name "Administrator" -Password $securePwd
    } -ArgumentList $newPassword
    $result.Status = 'OK'
    $result.NewCredentials = $newPassword
}

    Give that a try from an elevated PowerShell prompt with Domain Admin rights, and let me know how it goes!

    Tracy.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tracy Le 3,555 Reputation points Independent Advisor
    2026-03-09T10:49:40.7866667+00:00

    Hi SSE@TUE,

    Managing local administrator passwords across a fleet of 100 machines is a classic administrative challenge, and it's completely normal that your script works locally but fails when targeting remote computers.

    What you are experiencing is likely due to how the [ADSI] provider connects over the network. It relies on legacy RPC protocols which are usually blocked by the Windows Firewall on modern client machines by default. Additionally, Windows enforces remote UAC restrictions (LocalAccountTokenFilterPolicy) that often block network logons for local administrative accounts.

    If you want to stick with your current script structure, the most reliable, modern approach is to use PowerShell Remoting (Invoke-Command) combined with the built-in Set-LocalUser cmdlet. This wraps your command in a secure WinRM session. You would replace your [ADSI] lines inside the Try block with something like this:

    Invoke-Command -ComputerName $computer -ScriptBlock {
    param($pwd)
    $securePwd = ConvertTo-SecureString $pwd -AsPlainText -Force
    Set-LocalUser -Name "Administrator" -Password $securePwd
} -ArgumentList $newPassword

    (Note: This requires WinRM to be enabled on your 100 client machines, which is standard practice in managed environments).

    As a quick piece of advice from a security perspective: storing 100 local administrator passwords in a clear-text .csv file on a shared drive is quite risky. Since you are operating in an environment with 100 clients, I highly recommend looking into Windows LAPS (Local Administrator Password Solution). It's a free, built-in Microsoft feature that automatically randomizes local admin passwords on a schedule and securely backs them up directly to Active Directory or Entra ID. It completely eliminates the need to maintain custom scripts and password files.

    I hope this response provided some helpful insight. If it clarified the issue for you, please consider marking it as Accept Answer so others with the same issue can find the solution.

    Tracy.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.