In a comment to my earlier article, Scotty (a friend of mine from the mother country) asks:
Have you looked at passgen.exe from Jesper and Steve's book which would let you set a different password per machine (great for machines in different pools of risk) as well as making sure it was complex. Good tool.
Curiously enough, that's more or less the same question that Jesper asked me when he called while I was working through this problem.
Jesper's a good friend, and I'd hate to tell him that I loaned his book out to a colleague shortly after I bought it, and that I had completely forgot about the passgen utility. Fortunately, I didn't have to, because as it turns out, there are a few things passgen doesn't do that I need, and perhaps a few that it does that I don't need.
But we're starting to get into a long batch file, and generally those are not so easy to debug. It's time to head to script.
Because I'm scripting, rather than using the command line or a batch file, I can afford to add a couple of behaviours, too:
[That last point – learning how to do something you've never done before – is a powerful reason in itself to do something yourself even when there's a tool already available. Otherwise, use the tools that others provide, wherever possible.]
The attached script, svcpwchange.vbs, is what I have produced after a week's playing around. Let me know what you think.
As with the advisories in Jesper's Passgen tool, the stop and restart won't work properly for services that run in a shared process. The tool also won't restart services that are dependent on the service whose password you are changing – unless they use the same password. One other thing that passgen does that my script doesn't, is to actually change the password on the account itself – you'll need to do that before you run this script! [Exercise for the reader – add the code to set the password.]