We are looking to put in place a better ”local” admin policy. Here is what we had in mind can anybody give feedback or better suggestions or even better recommend a software that will do this for us?
1. Create a PowerShell script to create a random password with 14 characters or greater
All the normal requirements upper, lower letters, numbers, special characters etc..
2. Change password every 30 days or more often if we think it is ”out there”
3. Setup a system so that if the local admin account was needed that the person needing it would have to request it from our Information Assurance Manager (IAM) or team
4. Lock password in a safe that only upper management with clearance have access to.
5. Change the password once it is used for what ever it is needed for.
6. Audit the systems for changes to the local admin account.
In other words if someone other than the automated solution changes the password we want to know who did it.
ok so some background. each admin in our network has a regular user account and an elevated account for admin stuff. So the theory is that there is no reason for them to have the local admin account because this allows people to do what ever they want without an audit trail.
So we are basically looking for a way to force admin to use the elevated account and not the local admin account.
please feel free to take this topic and run with it. we are looking for any feedback you can provide.