Disable Administrator and Sets Random Password

MDT uses a common password for the Administrator account during deployment and it's stored in clear text in CustomSettings.ini. It is unlikely that disabling the account is sufficient, as the SAM file can be mounted via Windows Recovery or Bootable Kali image. Also, there's the possibility the password can be recovered by forensically analysing the deleted items. The obvious fix is to encrypt the System partition with Bitlocker. 

However, if your domain joined or having the admin account accessible is undesirable the following script will reset the password to something random and then disable it. The password isn't written to disk and can't be recovered at a later date.

Make this one of the last steps in MDT\ConfigMgr, once the account has been disabled it will cause issues running further configuration changes.


Disable Admin Account and Sets Random Password 




#Password length
$length = 20

#Minimum number of symbols to use in the password
#Do not set to high as this will remove complexity and make passwords easier to compromise 

$random = 5

#Creates random password
$assembly = Add-Type -AssemblyName system.web
$randPass = [System.Web.Security.Membership]::GeneratePassword($length,$random)

#Var for Administrator Account
$admin = "Administrator"

#Sets Administrator password
net user $admin $randPass /YES


#Disable Administrator account
net user $admin /active:yes