Managing Local Administrator Passwords


Overview

In this multi part series I will walk you through how to manage the local admin password on workstations and servers in an Active Directory enterprise environment using PowerShell. This is a problem frequently faced by IT admins and when I was asked to solve it, a little research quickly revealed there is no good answer. There are many ways to change the local admin password including:

  • Startup Script
  • Active Directory Preferences
  • Manually Ran Script
  • 3rd party utility

The challenge with each method is typically three-fold:

1) The password must be securely stored

2) The password must be securely transmitted to or from the target computer

3) Users with a need to know (i.e. IT Admins) must be able to retrieve the local admin password in the event it is needed

 

Each approach to the problem has both benefits and challenges. Some do not address all three problems at all, and others may incur additional cost. The solution that will be discussed in this series is only one of many potential solutions and is based on using a PowerShell startup script, Active Directory Group Policy, an Active Directory confidential attribute, a random password generation function, and a Kerberos encrypted connection to the domain controller.

How It Works

The Active Directory Schema is extended to include a new confidential attribute which is where the password will be stored. Active Directory Group Policy is used to assign the PowerShell script to workstations and servers so that it will be ran each time the workstations and servers reboot. The PowerShell script creates a random password with a configurable length of between 8 and 127 characters that consists of at least 2 upper case, 2 lower case, 2 numbers, and 2 special characters. The password is then written to the configured Active Directory attribute using a Kerberos signed and encrypted secure channel between the computer and the domain controller. If the Active Directory attribute update fails, or the local admin password change fails, no changes are made to either the Active Directory attribute or the local admin account.

In This Series

In the upcoming weeks I will post each function of the PowerShell script and explain how it works, followed by the completed script. This tutorial will explain each PowerShell function and will culminate in the completed script. Stay tuned for Part 2.

Latest News


Part 2 is now available. – Random Password Generation

Part 3 is now available. – Secure Active Directory Attribute Update

Part 4 is now available. – Update Local Account's Password

Part 5 is now available. – Logging Function Output

Part 6 is now available – Extending The Active Directory Schema

Part 7 is now available – Completed Script

Part 8 (Final) is now available – Completed Secure Password Viewer

Comments (17)

  1. Anonymous says:

    Looking forward to Part 2

  2. Anonymous says:

    Any idea when part 2 will be released?

  3. itworkedinthelab says:

    Thanks
    sounds like an awesome solution

  4. Anonymous says:

    This is Part 4 of a multi-part series on managing local admin passwords. In this part I will discuss how to update the password of a local user account using PowerShell

  5. Anonymous says:

    Overview This is Part 5 of a multi-part series on managing local admin passwords. In this part I will

  6. Anonymous says:

    This is Part 6 of a multi-part series on managing local admin passwords. In this part I will discuss how to extend the Active Directory schema to create a new confidential attribute which is where the workstation's local administrator password will

  7. Anonymous says:

    This is Part 7 of a multi-part series on managing local admin passwords. In this part I will provide

  8. Anonymous says:

    Pingback from Managing Local Administrator Passwords | MS Tech BLOG

  9. Anonymous says:

    Pingback from Manage Local Admin Passwords – Additional Comments | JohanPersson.nu

  10. Anonymous says:

    This is Part 8 and the final part of a multi-part series on managing local admin passwords. In this part

  11. daniloariascaballero says:

    lahat kayo may gawa sa fb ko bakit nyo ginawa ito para makuha nnyo ang lahat ng pamilya ko

  12. caballerodanilo13@yahoo.com says:

    binablock nila ako si brox tapia drug users lahat ginawa nila bakit ginawa nila ito para

  13. judithpiodoscaballero says:

    jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka

  14. judithpiodoscaballero says:

    jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka

  15. judithpiodoscaballero says:

    jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka