With all of the security breaches these days, these simple and easy configuration/deployment changes can automate the change of local administrator password servers and workstations, and make them less vulnerable to attack. So I decided to share this with you guys.
In my implementation of Local admin password management I have made some customisations.
The Domain Admins and the users to the AD group “AdminPassword Read” that I have created, will have access to see the password of the Local Administrator of the servers and workstation. This password will be change every 30 days and store the password on the Active Directory.
I have also created a Policy named Admpwd that contains the following settings:
I have created an application on the SCCM 2012 named “Local admin password management”, but you can also set GPO to perform the installation. I have also created a deployment collection with a dynamic query to be deployed on all servers/workstations, which tell the local administrator password to be changed automatically.
The application command to perform the installation is:
- AdmPwd.Setup.x64.msi” /q
- AdmPwd.Setup.x86.msi” /q
And the deployment option, in my case, was this one:
- Install and Required
- Hide in Software Center and all Notifications
After the AdmPwd is installed on the machines, you are ready to go.
To view the password
To check or request a reset of the password, we need to install the Admpwd software that you can download here:
Open the AdmPwd UI tool with administrative rights, and insert the computer name and click Search:
You can also see the password using PowerShell:
Get-AdmPwdPassword -ComputerName <computername>
Resetting the password
To manually reset the password, just click the Set button in AdmPwd UI tool. When a Group Policy refresh runs, password will be reset. You can also plan password expiration for the future. To do so, enter desired expiration date/time into respective field.
You can also reset the password using PowerShell:
Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>
If we want to reset it immediately, do not use this one:
Reset-AdmPwdPassword -ComputerName <computername>
With this solution, you will have a central and secure management of the workstation local administrator account, and we can provide this password to someone in need, and change it after with a distant of one click.
Hope you guys enjoying this feature.