Hello,
one step is to grant users and groups the permissions to read local administrator passwords, stored in Active Directory. For example, you want to grant read password permissions to the members of AdmPwd group:
Set-AdmPwdReadPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd
In addition, you can allow a certain group of users to reset computer passwords (in this example, we give it to the same group — AdmPwd):
Set-AdmPwdResetPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd
Then you have to create a new GPO object and link it to the OU containing the computers on which you want to manage local administrator passwords.
Create a policy with the name Password_Administrador_Local using the following command:
Register-AdmPwdWithGPO -GpoIdentity: Password_Administrador_Local
Open this policy in the Domain Policy Management Console (gpmc.msc) and go to the following GPO section: Computer Configuration -> Administrative Templates -> LAPS.
Using LAPS to View Administrator Password
LAPS graphic interface (GUI) to view LAPS passwords must be installed on the administrator computers.
If you start the tool and specify the computer name, you can view the local administrator password and its expiration date.
Password expiration date can be set manually, or leave this field empty, and by clicking Set specify that the password has already expired.
Also, you can get the computer password using PowerShell:
Get-AdmPwdPassword -ComputerName <computername>
think that local administrators’ passwords on all computers in some OU are compromised, you can generate new unique local admin passwords for all computers in the OU with a single PowerShell command. To do this, use the the Get-ADComputer cmdlet:
Get-ADComputer -Filter * -SearchBase “OU=Desktops,OU=NY,OU=USA,DC=woshub,DC=com” | Reset-AdmPwdPassword -ComputerName {$_.Name}
Similarly, you can display a list of current passwords for all computers in the OU:
Get-ADComputer -Filter * -SearchBase “OU=Desktops,OU=NY,OU=USA,DC=woshub,DC=com” | Get-AdmPwdPassword -ComputerName {$_.Name}
--If the reply is helpful, please Upvote and Accept as answer--