Local administrator passwords are a problematic situation in an organization of significant size. Every computer either has the same password for the local administrator account, some formula to determine it, or a spreadsheet to track it. The bigger threat surrounding those accounts having a common password is more of an internal threat. With technicians coming and going, it can be quite a project to change the administrator password on each and every computer. If there’s a disgruntled IT technician that knew the password though, you should probably work on that project.
You could run around and get hands on each computer or write a script assigned through Group Policy to change the password, along with trying to inform everyone that needs to know but that can be tedious or requires leaving the password in plaintext somewhere (with only computer objects having access). Group Policy Preferences could manage local accounts but including passwords in GPP has always been a no-no and was enforced last May.
After closing the door of using GPP, many IT Pros began questioning how they were supposed to manage the local administrator password. Best practice would say that each computer should have its own password for the local administrator account and that it should be updated frequently. The Local admin password management solution was posted on MSDN and following the GPP change, it was proposed as a solution on the Ask Premier Field Engineering Platforms blog. Just last week, it was announced that Microsoft has adopted this as an official product in Microsoft Security Advisory 3062591.
The Local Administrator Password Solution, security-wise, is a thing of beauty. The local administrator password is periodically changed and is unique on each computer. With a schema change in AD, the password is stored in the attribute editor for a computer. It is then controlled who has permission to view the password attribute through Active Directory. Depending on the layout of your organization, this could be a further improvement by allowing technicians to know only the passwords of the computers for which they are responsible. To know the local account’s password, it would be looked up in AD and then would be usable. Technicians may dislike the extra step that slows them down but security should be jumping up and down.
LAPS is not something that can be implemented with a simple install but will require some planning and communication but the benefit looks to be a solution a long-time coming.