As part of my role I took over a reasonable sized Windows Server infrastructure. Many servers have now been replaced but some of the originals remain. I am currently running security tasks across all areas and one was to change the local admin password and account name for all servers.
There used to be generally two ways to acheive this:
- Manually reset each password and save into a spreadsheet.
- Use Group Policy Preferences to set a standard password.
Creating a spreadsheet of passwords fills me with dread and sods law says you won’t be able to open it when you need it. Using GPP is a reasonable idea but the implementation stores passwords in clear text within the Sysvol folder (read-only to anyone on the network). Microsoft have realised this is an issue and have actually prevented the GPP solution from working as at May 2014.
The new, approved solution is LAPS – Local Admin Password Solution. This is a combination of dll and GPO configurations which regularly, automatically reset the local administrator password and store the information in Active Directory. Its a free tool available here complete with downloadable instructions. The instructions are very clear and easy to follow so I won’t detail them here but give a quick overview.
- Install the management agent onto a management server.
- Extend the schema and make some small permission changes to the AD OU/s you wish to manage the servers in.
- Create a GPO with password complexity and refresh time you require.
- Install agent onto server to be managed.
Once complete (the above took 30 minutes not including Change Control and testing). You can retrieve the password in 3 ways:
- Using the LAPS tool
2. Inspecting the attribute editor in Active Directory
3. Viewing in PowerShell