UPDATE: Upon further discussion with information security professionals, I’ve expanded on the subject of local Administrator accounts here.
As systems administrators, we sometimes need access to a given machine without domain credentials. But, in all honesty, how often do we really need access in this fashion? In a proper environment Most of the rationale behind “standardizing” on a local Administrator password I’ve seen has been to support other bad practices, like giving out the password to end-users to solve a one-time or letting service accounts run as a named user.
Below I’ve included a sample VBScript to randomize the local Administrator password. If you don’t use the local account in any day-to-day work, you may as well not leave this gaping security hole out there. Try placing this script in a Group Policy machine startup script. Just copy-paste the full code into a new Notepad instance, click save, then put “password.vbs” INCLUDING quotes into the path. This is necessary to retain the non-default extension (as otherwise Notepad puts the standard .txt extension on the file). Remember the path, then add it to an existing Group Policy Object or create a new one. Once you’ve opened the GPO, the full path is Computer Configuration -> Policies -> Windows Settings -> Scripts -> Startup. Click Add, Browse, point to the script, and press OK on the two screens. Close the GPO, apply it to a test OU, and you’re well on your way! If you have any issues you can always back out of the changes.
' A simple script used to randomize the local Administrator account password ' and disable/enable the account ' ' Written by Jeff McJunkin (@jeffmcjunkin, jeffmcjunkin.com) ' May be reused without permission, as long as the original source is attributed Set WshNetwork = WScript.CreateObject("WScript.Network") strComputer = WshNetwork.ComputerName strComputer = "." Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user") intHighNumber = 255 intLowNumber = 1 password="" For i= 1 to 120 Randomize intNumber = Int((intHighNumber - intLowNumber + 1) * Rnd + intLowNumber) password = password & Chr(intNumber) Next objUser.SetPassword password ' If you use something like Kon-Boot instead of NT Password Reset, ' it can be useful to leave the account enabled. In that case, ' set the following line to False objUser.AccountDisabled = True objUser.SetInfo