Todays work consists of implementing a system for managing local admin passwords for Servers and Workstations in an Active Directory Environment. I have used the method in the following (excellent) article series from the PlatformPFE team at Microsoft.

Part 1 – Overview
Part 2 – Random Password Generation
Part 3 – Secure Active Directory Attribute Update
Part 4 – Update Local Account’s Password
Part 5 – Logging The Update Process
Part 6 – Extending The Active Directory Schema
Part 7 – Managing Local Administrators Passwords

In short this series uses a new attribute in AD (set to confidential) to store the local admin password. The password is changed and written to the attribute using a powershell script which is run on every startup of a computer.

There are some aspects of the solution that where not completely obvious to me so I thought I would write the down so I won’t forget them:

The Confidential attribute is a flag that is set on the attribute which requires not only Read Permissions but also CONTROL_ACCESS to the attribute to be able to read it.

There are some limitations:

• The confidential flag cannot be applied on most of the default attributes. It is however applied to some default attributes such as Bitlocker Recovery Keys
• The CONTROL_ACCESS permission is default set for members of administrators and account operators in active directory which means that these users will always have access to to confidential attributes.
• The CONTROL_ACCESS permission can only be set using LDP.exe (which I will explain later how to do). You will need to do this if you want to allow users not member of  administrators and account operators to access the local admin password

To set the CONTROL_ACCESS permission for the AD-MemberServers OU-Read-Attribute-LocalAdminPWD group (described in the series), do the following:

1. Start LDP.exe elevated as a Domain Admin User
2. Connect to your domain controller

   

3. Bind LDP to the domain using your user account

   

4. Turn on the tree view in LDP

    

5. Browse to the OU where you set up permissions and open Security Descriptor

   
    

6. Double-click the ACL you set to open it and check the Control Access box. Click OK when you are done

    
    
   Note: If you set up the  password solution for Workstations to you will need to repeat the procedure for the workstation OU

7. Done

Addendum:

To verify if all computers have a local admin password set you can run:

$Filter = {(-not(LocalAdminPWD -like “*”))}
Get-ADComputer -Filter $Filter  -Properties LocalAdminPWD | ft Name,LocalAdminPWD

Links

http://blogs.technet.com/b/craigf/archive/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information.aspx
http://blogs.technet.com/b/platformspfe/archive/2014/05/13/part-7-managing-local-administrator-passwords.aspx