Skip to main content


Showing posts from October, 2013

Managing The Local Administrator Password - Part 3 - The Implementation

In this post I outline a step by step guide on implementing the solution. This post builds on the previous one. This is mostly a condensed version of the author’s documentation with addition of some items that either I found unclear or were not covered by the author.  In any case you should read the full documentation found here: WARNING: The solution requires schema extension and this should never be taken lightly so do test properly and proceed at your own risk.  The steps described in this section can be carried out on a Domain Controller or a management workstation.  1. Install the CSE including the “Management Tools” This installs: PowerShell module  GPO templates (AdmPwd.admx and .adml)  Note: I tested this on a domain with a local GPO store. If you are using a Central Store you should check if the templates have been copied.  The fol

Managing The Local Administrator Password - Part 2 - The Solution

Jiri Formacek, a Microsoft Services consultant (based on his LinkedIn profile), has published an excellent local admin password management solution.  The solution uses Group Policy Client Side Extension (CSE) to set random and unique per computer local administrator password that is changed at a user controlled interval (30 days by default). The password is then stored in a confidential Active Directory (AD) attribute. Permission to retrieve the password is controlled using a security group. The solution is described in the documentation so I won’t be repeating what’s there. I’ll go over the main points and some stuff that’s not covered in the official documentation.  I recommend reading the documentation. The solution can be downloaded here: The documentation can be found here: I

Managing The Local Administrator Password - Part 1 - The Issue

Local administrator password has always been a cause of a headache for security professionals. There hasn’t been a good and free way to manage the password on a large scale and most organizations ended up using the same password on all desktops or even servers. This introduces a number of vulnerabilities, such as: All IT Staff know the password The password is never changed The password inevitably becomes known to the users and various 3rd parties Machines are exposed to pass-the-hash attacks  If an attacker, a malware or an evil insider gains access to a single machine currently logged on under the local admin account they will be able to access all machines by executing a script or using built-in management tools. Moreover, compromise of a single machine will allow an attacker to grab a password hash and use it to access other computers. The local administrator password can be managed using Group Policy Preferences as detailed in the following article:  https://soc