I’ve worked for a number of organisations and with customers who carry out penetration testing on their computer networks. One of the common issues that is raised around penetration testing of Windows clients is that the local administrator password is usually the same on all clients and this increases the risk of a Pass-the-Hash compromise.
Microsoft have now addressed this issue by releasing the Local Administrator Password Solution (LAPS) which in my opinion is long overdue.
Basically LAPS still uses a common local administrator account name, but generates a random password for each client and stores that password in a confidential attribute against the machine account in Active Directory.
The password can then be read from Active Directory by those users who are authorised to do so.
You can read more about this tool and download it here.