Share This Post

Local Admin Policy Discussion

Hello all,

We are looking to put in place a better ”local” admin policy. Here is what we had in mind can anybody give feedback or better suggestions or even better recommend a software that will do this for us?

1. Create a PowerShell script to create a random password with 14 characters or greater

All the normal requirements upper, lower letters, numbers, special characters etc..

2. Change password every 30 days or more often if we think it is ”out there”

3. Setup a system so that if the local admin account was needed that the person needing it would have to request it from our Information Assurance Manager (IAM) or team

4. Lock password in a safe that only upper management with clearance have access to.

5. Change the password once it is used for what ever it is needed for.

6. Audit the systems for changes to the local admin account.

In other words if someone other than the automated solution changes the password we want to know who did it.

ok so some background. each admin in our network has a regular user account and an elevated account for admin stuff. So the theory is that there is no reason for them to have the local admin account because this allows people to do what ever they want without an audit trail.

So we are basically looking for a way to force admin to use the elevated account and not the local admin account.

please feel free to take this topic and run with it. we are looking for any feedback you can provide.

Share This Post

I write about topics that help me organize my daily/weekly IT work. I have the following Certifications: MCITP: Server Administrator, MS MCTS for SCCM 2007, MS MCP for SMS 2003, MS MCP for Server 2003, CompTIA A+, CompTIA Security +, AA in Electronics Engineering. Thanks for Visiting!

1 Comment

  1. We too are wrestling with this ‘problem’. We have many divisions that use their own password for the local admin account and our servers have the admin account renamed and disabled and then they use gpo to create a new local admin account. this is something that we are considering for your workstations as well (one we can eliminate MDT that is). The password will then be kept in a password safe, forced on by GPO and changed as needed.

Leave a Reply