Previously we talked about limiting the use of "local administrators" to improve the security of your network. However, we do actually need a local administrator account to exist because, sooner or later, a tech is going to need that account to properly install software or update the machine.
Often, because of the imaging process, hundreds or even thousands of workstations could have the same local administrator password. If one local administrator ID and password is compromised, an attacker can quickly jump to whatever other machines in your network have the same password. This is a serious security threat.
The solution is to merely have a different local administrator password on each workstation with an aggressive password change schedule.
You may be saying to yourself, "that is insane as no one could get their work done and there is no way to manage it."
Fortunately, Microsoft agrees with you and has created a *free* tool call the Microsoft Local Administrator Password Service (LAPS) to allow you to easily implement a unique local administrator password for every Windows device on your network that has an aggressive password change policy. Furthermore, LAPS auto-generates the new passwords. with the complexity and change schedule that you desire. Your authorized techs can then merely consult Active Directory Users and Computers to lookup the exact password they need at the exact time they need it for each computer they are working on.
LAPS is easy to deploy, relatively easy to setup, and easy to manage and access. Implementing LAPS dramatically reduces the attack options on your Windows network.
I strongly encourage you to implement LAPS across your network.
If you need help with this, let us know.