A look inside the Microsoft Local Administrator Password Solution

Windows administrators have a problem -- passwords. Specifically, administrator passwords that lurk out there, identical across machines, just ready to be compromised. But there is finally a solution at the right price that mitigates this problem almost completely. Interested? Let's dive in.

The issue at hand is simple: Every Windows NT-based box, as far back as Windows 2000 and up to Windows 10, including all of the server releases, has a local administrator account. This account, sometimes called the "500" account after the group ID number it has within the bowels of the Windows operating system, has full control over the machine on which it is located. It does not by default have any domain privileges. (Domain administrator accounts, of course, also have by default full control over local machines that are members of the domain -- but this can generally be scoped to a more limited set of permissions if necessary.)

Hashtag chalk marks Michael Coghlan

Once you join a machine to a domain, the local administrator account does not go away. It stays there, enabled in most cases unless you explicitly disable it or rename it or engage in other some such method of obfuscation.

Since it is a local account, however, you do not get the benefit of being able to synchronize passwords and centralize them among domain controllers. Each local administrator account password just sort of sits there. This creates an uncomfortable situation where out of a lack of other resources, most automated installations and deployments (hello Windows Deployment Services) simply put in a secure but identical password for each and every single system they touch.

It is not ideal, but you might be thinking at least the password is secure. Or maybe you actually try to keep track of multiple different local administrator passwords in a spreadsheet.

Managing these local administrator accounts has been a problem for as far back as I can remember, even back when I was part of the administrator team at a major research university in North Carolina. It has been over a decade, so I do not remember exactly how we managed the different passwords, but as I recall it was done with a massive spreadsheet and a regular password change interval for all of the local administrator accounts across the hundreds of machines in the department.

To continue reading this article register now