Managing local Administrator passwords on computers can be painful, especially in a large estate. Good practice is for each device to have its own, unique, local Administrator password to stop “lateral movement” of malware / reduce risk – in practice, few organisations actually achieve this.
I recently came across a Microsoft solution geared towards addressing this problem – the Local Admin Password Solution:
The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
In terms of supported operating systems, at time of writing requirements are very flexible in respect of DCs and target Operating Systems:
Active Directory: > Windows 2003 SP1 and above Managed machines: > Windows Vista with current SP or above; x86 or x64 > Windows 2003 with current SP and above; x86 or x64 (Itanium not supported)
For more information, and, to download the tool itself click here: https://www.microsoft.com/en-us/download/details.aspx?id=46899