Over the years, there have been several methods attempted for managing local Administrator accounts:
- Scripted password change – Don’t do this. The password is exposed in SYSVOL.
- Group Policy Preferences. The credentials are exposed in SYSVOL.
- Password vault/safe product (Thycotic, CyberArk, Lieberman, Quest, Exceedium, etc).
- Microsoft Local Administrator Password Solution (LAPS).
Microsoft’s LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. It’s important to ensure every computer changes their local Administrator password regularly, that it’s unique for every computer, there’s a way to track when it gets changed, and there’s a way to force password changes. I cover LAPS in an earlier post, including deployment, pros & cons, among other information.
Here’s a quick overview of LAPS:
- Initial install which includes schema extensions – adds ms-mcs-AdmPwd (clear-text password) & ms-mcs-AdmPwdExpirationTime (date/time when password expires which forces the LAPS client to reset the password) attributes to computer objects.
- Deploy the LAPS client to all computers to manage their local Administrator account password.
- Delegate all computers access to update the ms-mcs-AdmPwd & ms-mcs-AdmPwdExpirationTime LAPS attributes on their own computer account (SELF write access).
- Delegate the LAPS computer attributes so the appropriate users have access to view the LAPS password and/or force a reset of the LAPS password (clearing the value of ms-mcs-AdmPwdExpirationTime forces the LAPS client to change the local Administrator password).
- Configure a new Group Policy Object (GPO) to enable & configure LAPS management of local Administrator account password management.
Note that the LAPS GPO setting “Do not allow password expiration time longer than required by policy” is set to Enabled. This is important as you’ll see at the end of this post.