共用方式為


Managing Local Administrator Passwords

Overview

In this multi part series I will walk you through how to manage the local admin password on workstations and servers in an Active Directory enterprise environment using PowerShell. This is a problem frequently faced by IT admins and when I was asked to solve it, a little research quickly revealed there is no good answer. There are many ways to change the local admin password including:

  • Startup Script
  • Active Directory Preferences
  • Manually Ran Script
  • 3rd party utility

The challenge with each method is typically three-fold:

1) The password must be securely stored

2) The password must be securely transmitted to or from the target computer

3) Users with a need to know (i.e. IT Admins) must be able to retrieve the local admin password in the event it is needed

 

Each approach to the problem has both benefits and challenges. Some do not address all three problems at all, and others may incur additional cost. The solution that will be discussed in this series is only one of many potential solutions and is based on using a PowerShell startup script, Active Directory Group Policy, an Active Directory confidential attribute, a random password generation function, and a Kerberos encrypted connection to the domain controller.

How It Works

The Active Directory Schema is extended to include a new confidential attribute which is where the password will be stored. Active Directory Group Policy is used to assign the PowerShell script to workstations and servers so that it will be ran each time the workstations and servers reboot. The PowerShell script creates a random password with a configurable length of between 8 and 127 characters that consists of at least 2 upper case, 2 lower case, 2 numbers, and 2 special characters. The password is then written to the configured Active Directory attribute using a Kerberos signed and encrypted secure channel between the computer and the domain controller. If the Active Directory attribute update fails, or the local admin password change fails, no changes are made to either the Active Directory attribute or the local admin account.

In This Series

In the upcoming weeks I will post each function of the PowerShell script and explain how it works, followed by the completed script. This tutorial will explain each PowerShell function and will culminate in the completed script. Stay tuned for Part 2.

Latest News

Part 2 is now available. - Random Password Generation

Part 3 is now available. - Secure Active Directory Attribute Update

Part 4 is now available. - Update Local Account's Password

Part 5 is now available. - Logging Function Output

Part 6 is now available - Extending The Active Directory Schema

Part 7 is now available - Completed Script

Part 8 (Final) is now available - Completed Secure Password Viewer

Comments

  • Anonymous
    January 01, 2003
    Looking forward to Part 2
  • Anonymous
    January 01, 2003
    Part 2 is now available. http://blogs.technet.com/b/platformspfe/archive/2014/01/20/part-2-managing-local-administrator-passwords.aspx
  • Anonymous
    January 01, 2003
    Any idea when part 2 will be released?
  • Anonymous
    January 20, 2014
    Thankssounds like an awesome solution
  • Anonymous
    February 17, 2014
    Par
  • Anonymous
    February 17, 2014
    This is Part 4 of a multi-part series on managing local admin passwords. In this part I will discuss how to update the password of a local user account using PowerShell
  • Anonymous
    February 17, 2014
    Overview This is Part 5 of a multi-part series on managing local admin passwords. In this part I will
  • Anonymous
    April 02, 2014
    This is Part 6 of a multi-part series on managing local admin passwords. In this part I will discuss how to extend the Active Directory schema to create a new confidential attribute which is where the workstation's local administrator password will
  • Anonymous
    May 13, 2014
    This is Part 7 of a multi-part series on managing local admin passwords. In this part I will provide
  • Anonymous
    May 13, 2014
    Pingback from Managing Local Administrator Passwords | MS Tech BLOG
  • Anonymous
    May 15, 2014
    Pingback from Manage Local Admin Passwords – Additional Comments | JohanPersson.nu
  • Anonymous
    August 12, 2014
    This is Part 8 and the final part of a multi-part series on managing local admin passwords. In this part
  • Anonymous
    August 13, 2014
    lahat kayo may gawa sa fb ko bakit nyo ginawa ito para makuha nnyo ang lahat ng pamilya ko
  • Anonymous
    August 13, 2014
    binablock nila ako si brox tapia drug users lahat ginawa nila bakit ginawa nila ito para
  • Anonymous
    August 17, 2014
    jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka
  • Anonymous
    August 17, 2014
    jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka
  • Anonymous
    August 17, 2014
    jo poslan man ingon akong kinabuhi taposon lng ni nato ky ogma moadto ko sa dole grabi manka