Managing Local Administrator Passwords


In this multi part series I will walk you through how to manage the local admin password on workstations and servers in an Active Directory enterprise environment using PowerShell. This is a problem frequently faced by IT admins and when I was asked to solve it, a little research quickly revealed there is no good answer. There are many ways to change the local admin password including:

  • Startup Script
  • Active Directory Preferences
  • Manually Ran Script
  • 3rd party utility

The challenge with each method is typically three-fold:

1) The password must be securely stored

2) The password must be securely transmitted to or from the target computer

3) Users with a need to know (i.e. IT Admins) must be able to retrieve the local admin password in the event it is needed


Each approach to the problem has both benefits and challenges. Some do not address all three problems at all, and others may incur additional cost. The solution that will be discussed in this series is only one of many potential solutions and is based on using a PowerShell startup script, Active Directory Group Policy, an Active Directory confidential attribute, a random password generation function, and a Kerberos encrypted connection to the domain controller.

How It Works

The Active Directory Schema is extended to include a new confidential attribute which is where the password will be stored. Active Directory Group Policy is used to assign the PowerShell script to workstations and servers so that it will be ran each time the workstations and servers reboot. The PowerShell script creates a random password with a configurable length of between 8 and 127 characters that consists of at least 2 upper case, 2 lower case, 2 numbers, and 2 special characters. The password is then written to the configured Active Directory attribute using a Kerberos signed and encrypted secure channel between the computer and the domain controller. If the Active Directory attribute update fails, or the local admin password change fails, no changes are made to either the Active Directory attribute or the local admin account.

In This Series

In the upcoming weeks I will post each function of the PowerShell script and explain how it works, followed by the completed script. This tutorial will explain each PowerShell function and will culminate in the completed script. Stay tuned for Part 2.

Latest News

Part 2 is now available. - Random Password Generation

Part 3 is now available. - Secure Active Directory Attribute Update

Part 4 is now available. - Update Local Account's Password

Part 5 is now available. - Logging Function Output

Part 6 is now available - Extending The Active Directory Schema

Part 7 is now available - Completed Script

Part 8 (Final) is now available - Completed Secure Password Viewer