How to automatically change the Local Administrator user password

With all of the security breaches these days, these simple and easy configuration/deployment changes can automate the change of local administrator password servers and workstations, and make them less vulnerable to attack. So I decided to share this with you guys.

To do this you need to follow this article to implement the Local administrator user password: 

In my implementation of Local admin password management I have made some customisations.

The Domain Admins and the users to the AD group “AdminPassword Read” that I have created, will have access to see the password of the Local Administrator of the servers and workstation. This password will be change every 30 days and store the password on the Active Directory.

I have also created a Policy named Admpwd that contains the following settings:

I have created an application on the SCCM 2012 named “Local admin password management”, but you can also set GPO to perform the installation. I have also created a deployment collection with a dynamic query to be deployed on all servers/workstations, which tell the local administrator password to be changed automatically.

The application command to perform the installation is:

  • AdmPwd.Setup.x64.msi” /q
  • AdmPwd.Setup.x86.msi” /q

And the deployment option, in my case, was this one:

  • Install and Required
  • Hide in Software Center and all Notifications

After the AdmPwd is installed on the machines, you are ready to go.

To view the password

To check or request a reset of the password, we need to install the Admpwd software that you can download here:

Open the AdmPwd UI tool with administrative rights, and insert the computer name and click Search:

You can also see the password using PowerShell:

Get-AdmPwdPassword -ComputerName <computername>

Resetting the password

To manually reset the password, just click the Set button in AdmPwd UI tool. When a Group Policy refresh runs, password will be reset. You can also plan password expiration for the future. To do so, enter desired expiration date/time into respective field.

You can also reset the password using PowerShell:

Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>

If we want to reset it immediately, do not use this one:

Reset-AdmPwdPassword -ComputerName <computername>

With this solution, you will have a central and secure management of the workstation local administrator account, and we can provide this password to someone in need, and change it after with a distant of one click.

Hope you guys enjoying this feature.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s