How to manage local account password though AD.

Question

Many years ago, a script can be used for manage the password of local account (specific one account).

When the client (may Windows 10 or 11) join in domain, AD could change the password of one specific account to any random password of each. And it is available to change password per month.

Beside that, AD operation is available to export the password of all client to one CSV file for records.

May I know how to do that, or any tools is available to use for above similar function? Thanks

AD is using Server 2016 & 2012 R2.

Answer 1

Hello Ka Ho Cheng,

Thank you for posting in Q&A forum.

For your request, you can read this article (Workarounds parts) and check if it helps.

https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30

I know more about manage the passwords of local administrator accounts on domain-joined machines in AD.

Managing local account passwords through Active Directory (AD) can be effectively done using Microsoft's Local Administrator Password Solution (LAPS). LAPS is specifically designed to manage the passwords of local administrator accounts on domain-joined machines in a secure and automated way.

Below are the steps to deploy and configure LAPS:

Step 1: Check domain functional level and domain controller OS version requirements

Step 2: Extend the Active Directory Schema

Step 3: Configure Permissions in Active Directory Configure the necessary permissions to allow computers to update their passwords and to allow administrators to read the passwords.

Step 4: Configure Group Policy Create a GPO to configure LAPS settings.

1.Create a New GPO:

Open Group Policy Management and create a new GPO or edit an existing one.

2.Edit GPO Settings:

Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **LAPS**.

Define the Name of administrator account to manage if you need to manage a specific account other than the default local administrator account.

Step 5: Monitor and Retrieve Passwords

You can retrieve the local administrator passwords using the LAPS UI or through PowerShell.

LAPS is a robust and secure solution for managing local administrator passwords on domain-joined machines, ensuring that passwords are rotated regularly and stored securely in Active Directory.

For more information, please refer to the links below:
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory

https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings#windows-laps-group-policy

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.