How to manage local account password though AD.

Ka Ho Cheng 285 Reputation points
2024-07-22T07:14:33.6566667+00:00

Many years ago, a script can be used for manage the password of local account (specific one account).

When the client (may Windows 10 or 11) join in domain, AD could change the password of one specific account to any random password of each. And it is available to change password per month.

Beside that, AD operation is available to export the password of all client to one CSV file for records.

May I know how to do that, or any tools is available to use for above similar function? Thanks

AD is using Server 2016 & 2012 R2.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,702 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,522 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,598 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,867 questions
{count} votes

Accepted answer
  1. Daisy Zhou 24,901 Reputation points Microsoft Vendor
    2024-07-22T09:51:31.4633333+00:00

    Hello Ka Ho Cheng,

    Thank you for posting in Q&A forum.

    For your request, you can read this article (Workarounds parts) and check if it helps.

    https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30

    I know more about manage the passwords of local administrator accounts on domain-joined machines in AD.

    Managing local account passwords through Active Directory (AD) can be effectively done using Microsoft's Local Administrator Password Solution (LAPS). LAPS is specifically designed to manage the passwords of local administrator accounts on domain-joined machines in a secure and automated way.

    Below are the steps to deploy and configure LAPS:

    Step 1: Check domain functional level and domain controller OS version requirements

    Step 2: Extend the Active Directory Schema

    Step 3: Configure Permissions in Active Directory Configure the necessary permissions to allow computers to update their passwords and to allow administrators to read the passwords.

    Step 4: Configure Group Policy Create a GPO to configure LAPS settings.

    1.Create a New GPO:

    Open Group Policy Management and create a new GPO or edit an existing one.

    2.Edit GPO Settings:

    Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **LAPS**.

    Define the Name of administrator account to manage if you need to manage a specific account other than the default local administrator account.

    User's image

    Step 5: Monitor and Retrieve Passwords

    You can retrieve the local administrator passwords using the LAPS UI or through PowerShell.

    LAPS is a robust and secure solution for managing local administrator passwords on domain-joined machines, ensuring that passwords are rotated regularly and stored securely in Active Directory.

    For more information, please refer to the links below:
    https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory

    https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings#windows-laps-group-policy

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.