I've been tasked with rotating the local admin passwords for about 2800 Windows laptops every 15 days due to new security protocols set by our CISO. Each laptop has a single local admin account, and I'm looking for effective ways to manage this password rotation process. What options do I have?
5 Answers
LAPS is truly user-friendly when integrated with Intune. I managed to create a dynamic list in Entra and got it running in no time. I highly recommend it for any fleet of this size.
Consider using Windows LAPS (Local Administrator Password Solution). It's designed exactly for tasks like yours and can work both on-premises and through Intune. Setting it up is pretty straightforward and would automate the process for you.
If you're looking for alternatives, I came across a script from the SANS SEC505 course that rotates passwords and encrypts them, saving the details to a file share. It has some nice flexibility, such as scheduling and working on multiple accounts.
LAPS is definitely the way to go. It's a reliable tool that not only handles password rotation but is also integrated well with Active Directory. Plus, it's free since it's a Microsoft solution. No additional licensing needed, which is a huge plus!
I do want to mention that while LAPS is a solid solution, some folks find it adds unnecessary complexity. If you want something simpler, consider tools like Admin By Request—it can help control admin access and includes features for password management but at a cost.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures