GPO failed to change local admin account password

Domain network: WIndows Server 2008 R2
Workstation: Windows 10
GPO purpose: Create one more local admin account and set password. Once it's changed, change it back.
GPO setting:GPO-Local-Admin.JPGQuestion: After the user, who is domain account and part of local administrators group, changed the admintest account password, if the computer reboot, the admintest account password isn't changed back to the GPO setting.
Welcome any suggestion.
Snowy CanadaNetwork AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dariusz TykaICT Infrastructure Specialist Senior Commented:
It is no longer possible to set/change passwords for user accounts via GPP.  It was disabled after installation one of MS patches. As it was a security risk since those passwords could be decrypted. See more here:
https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati
https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Snowy CanadaNetwork AdministratorAuthor Commented:
Thank Dariusz for fast solution.
0
McKnifeCommented:
@Snowy
No, that is not the reason. Your screenshot should show a greyed-out password section. Greyed-out, because MS has patched this option away. Yours doesn't show it. That means, you have never installed any security updates on your domain controller in recent years! Very dangerous.

Please install all updates now. DCs are the most endangered servers.
Please be aware that after installing the patches, all policies of that style remain in place and passwords are easily decodable and should be assumed as being leaked! Delete these policies and migrate the remaining settings to new policies AND change the passwords.
0
McKnifeCommented:
What will you do about your goal to reset the admin passwords?
You should not set them to the same value everywhere, that's for sure. The following link describes a concept for safe user support. In it, you will find scripts to randomize passwords, maybe you would like to use those. If you need help, just say.
https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html
0
Snowy CanadaNetwork AdministratorAuthor Commented:
McKnife, thank you so much for the advice.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.