What is the industry standard method for administering the change of the local administrator password for all machines on a domain?
Although there appears to be three available options, one of which is actually secure, there seems to be only two available choices that will be able to impact machines that are not powered on at the time of change or are mobile and were not on the network at time of change. Neither of the two appear to be a secure option. The three options that I'm aware of are:
- Startup scripts with .vbs
- GPO using Group Policy Preferences
- Powershell script as a scheduled task.
I dismiss the Powershell option because I don't know how to effectively target/iterate, and dismiss machines already changed, all the machines on the network and what impact that would have on unnecessary network overhead, even though it is probably the best available solution since the password itself can be stored in a CipherSafe.NET (3rd party solution) container and the password passed to the script to the targeted machine. I haven't checked to see if Powershell can get a password from the Credential Manager of a local Windows machine to use in the script or if it is possible to store a password there for use with the script either.
The .vbs script option is insecure because the password is stored in clear text in the SYSVOL share which is available to any domain machine on the network. Anyone that is looking to find a back door and with a bit of Google will find that door if persistent enough.
The GPO option is also insecure as noted by this MSDN note: http://code.msdn.microsoft.com/Solution-for-management-of-ae44e789
I'm searching for a non-3rd party solution which I think should be available or able to be developed in house with the right knowledge or guidance.
Solution 1:
I'm going to go ahead and take my comment to answertown.
It will have to be 3rd party. As you already pointed out, none of the three options you mention are optimal. Microsoft does not provide a perfect way of doing this. There just isn't one. It will be third party, and it will almost surely involve you installing a software agent on all your clients.
I developed a solution for this exact problem (except it worked across many forests and domains simultaneously,) and it did involve VBscript for maximum compatibility with as many different versions of Windows as possible, as well as some C# bits, as well as a 3rd party software agent that luckily the company was already using for monitoring purposes and was therefore already installed on every machine, that I was able to leverage.
Alternatively, you could just disable all local Admin accounts via GPO, which is pretty common. But if something goes wrong with domain sync on that domain member, recovery will be more of a PITA than if you had a recovery "local admin" account.
Edit: Just to clarify: I'm confused when you say that you're "searching for a non 3rd-party solution which ... should be able to be developed in house..." I would consider anything not written by Microsoft as a built in component of Windows in this context "3rd party." Can you do it with some clever code that uses TLS network communications and stores the secrets in a SQL Server database with transparent data encryption with some complex hash function that generates a unique password for each machine? YES. Is it built in to Windows with no effort required on your part? NO. :)