As system administrators, we know how vulnerable passwords are. We require our users to change their passwords on a regular basis. We request they use different passwords for different systems, to limit exposure caused by the loss of a single password. Then we set the administrator password to be the same on all our systems. Then we never change them. The result is one compromised system means every other one can be compromised.

Why do we do this? Because managing the password on every system is a major task in keeping documentation up to date. Over the years I have tried to make this easier. It did not work out because it still had too much manual work. Now Microsoft has created Local Administrator Password Solution (LAPS) great solution that is self-maintaining, easy and free to manage local admin passwords.

I recommend the following to make this easy and secure

Create a new domain user account for all your system admins. This is their admin account to use when they need to elevate their permissions. This means when surfing the web and opening email they do not have elevated permissions that could ruin their day if they open the wrong attachment. Require these admin accounts to have a strong and unique password.

Add those users to a new group and use group policy to add that group to the local “Administrators” group. You now have individual accountability of who is doing what on each system.

Download and configure LAPS. Use a group policy with LAPS to create a new user with the LAPS passwords. This keeps the of a well-known username and stops the reuse of a SID if the systems were cloned from each other. Allow this new group of user to read the LAPS passwords.

Delete the existing/default administrator account via group policy.

Now the staff who need to run processes as a local admin can with their own account and password they can remember. They can the LAPS password from Active Directory when the system can’t authenticate to AD for some reason, such as the system was removed from the network. The great part is if any system is compromised, they don’t have the local admin password and use it on every other system on your network.

Further reading

https://technet.microsoft.com/en-us/library/security/3062591.aspx