As a Windows tester, I install Windows on my own machines a lot (this is known internally as “selfhosting”, or “dogfooding”, or “ice cream-ing”.)
One of my little idiosyncracies is I like to run as a non-administrative user. That is, I don’t add my domain account to the local Administrators group.
Instead, I create a local “Admin” account with a known (to me) password; every time I need to elevate, I get a prompt that asks for credentials rather than just “Yes/No”. To this prompt I pass the credentials of the local “Admin” account.
Although I usually install fresh builds regularly (on my multiple machines), sometimes one machine gets a little stale. In fact, it happened once that my local .\Admin account got so stale that I had to change the password! This was annoying enough that I devoted some energy into figuring out how to check the “Password never expires” box on the local account properties programmatically.
The result was the following script: call as cscript.exe never-expire-admin-password.wsf This version hardcodes the username “Admin”; a production version would probably allow passing a username in via the command line.
If the Admin password already has the box checked, this script does nothing.
‘ LDAP doesn’t work for controlling local users
‘ (unless you’re a domain controller, of course)
‘ have to use WinNT provider instead
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
‘ hardcoding “Admin” username
Dim admin: Set admin = GetObject(“WinNT://localhost/Admin,user”)
WScript.Echo “Admin’s userFlags are 0x” & Hex(admin.userFlags)
If Not admin.userFlags And ADS_UF_DONT_EXPIRE_PASSWD Then
WScript.Echo “Setting local admin account to never expire password”
admin.userFlags = (admin.userFlags Or ADS_UF_DONT_EXPIRE_PASSWD)
EDIT: 2015-10-31 moved script to https://github.com/mvaneerde/blog/blob/master/scripts/never-expire-admin-password.vbs