Has anyone successfully scripted a custom fixlet to call PSPASSWD and use that as a way to change Local Admin passwords? Would love to be able to do this so instead of running the script locally multiple days, we can just keep it as an open action in BigFix to make sure all of the laptops in the specified group get their local admin PW changed.
Better yet, if someone has a solution within BigFix that allows the change of Local Admin PW without sending it via cleartext and without using the Local User Management (because it doesn’t work), that would be awesome.
That is where we will go for a permanent solution down the road… just seems like it takes a decent amount of ground work and we need to have something by early next week…
We have used a custom OpenSSL-based encryption solution for years via Bigfix that successfully handles encrypted sensitive data such as passwords, keys, and more.
I think you could knock it out pretty quickly. There are not many components. if I recall…you move a couple of adml/admx files to your central store, update your AD schema, design the gpo for how you want it configured, push out a small gpo extension to endpoints, install the management software, test it out and deploy.
hopefully you shouldn’t have to, but it wouldn’t hurt to do a little recon to ensure no scheduled jobs are running as local admin anywhere.
there’s a handful of useful powershell commands that go along with it - let me know if you’d like em, I’ll dig em out of my notes.
Yeah, after further digging, it looks as though LAPS is pretty straight forward to implement…Our concern now is making sure the delegation of who can view the PWs stored in AD in clear text is sorted out properly.
