Managing Local Administrator Passwords

Managing Local Administrator Passwords

  • Comments 17
  • Likes


In this multi part series I will walk you through how to manage the local admin password on workstations and servers in an Active Directory enterprise environment using PowerShell. This is a problem frequently faced by IT admins and when I was asked to solve it, a little research quickly revealed there is no good answer. There are many ways to change the local admin password including:

  • Startup Script
  • Active Directory Preferences
  • Manually Ran Script
  • 3rd party utility

The challenge with each method is typically three-fold:

1) The password must be securely stored

2) The password must be securely transmitted to or from the target computer

3) Users with a need to know (i.e. IT Admins) must be able to retrieve the local admin password in the event it is needed


Each approach to the problem has both benefits and challenges. Some do not address all three problems at all, and others may incur additional cost. The solution that will be discussed in this series is only one of many potential solutions and is based on using a PowerShell startup script, Active Directory Group Policy, an Active Directory confidential attribute, a random password generation function, and a Kerberos encrypted connection to the domain controller.

How It Works

The Active Directory Schema is extended to include a new confidential attribute which is where the password will be stored. Active Directory Group Policy is used to assign the PowerShell script to workstations and servers so that it will be ran each time the workstations and servers reboot. The PowerShell script creates a random password with a configurable length of between 8 and 127 characters that consists of at least 2 upper case, 2 lower case, 2 numbers, and 2 special characters. The password is then written to the configured Active Directory attribute using a Kerberos signed and encrypted secure channel between the computer and the domain controller. If the Active Directory attribute update fails, or the local admin password change fails, no changes are made to either the Active Directory attribute or the local admin account.

In This Series

In the upcoming weeks I will post each function of the PowerShell script and explain how it works, followed by the completed script. This tutorial will explain each PowerShell function and will culminate in the completed script. Stay tuned for Part 2.

Latest News

Part 2 is now available. - Random Password Generation

Part 3 is now available. - Secure Active Directory Attribute Update

Part 4 is now available. - Update Local Account's Password

Part 5 is now available. - Logging Function Output

Part 6 is now available - Extending The Active Directory Schema

Part 7 is now available - Completed Script

Part 8 (Final) is now available - Completed Secure Password Viewer

  • Looking forward to Part 2

  • Any idea when part 2 will be released?

  • Part 2 is now available.

  • Thanks sounds like an awesome solution

  • lahat kayo may gawa sa fb ko bakit nyo ginawa ito para makuha nnyo ang lahat ng pamilya ko

  • binablock nila ako si brox tapia drug users lahat ginawa nila bakit ginawa nila ito para

  • jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka

  • jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka

  • jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment