We help IT Professionals succeed at work.

I need to create a secure scheduled powershell task script that will: Change local Admin password

Hello, I need to create a Scheduled task Powershell script that will:

#1 Once a month change the Local Admin account password on all domain Pc's.
#2 Utilize a random password generator.
#3 Pipe the new updated password out to an encrypted AES 256 7-Zip secure file location.
#4 Send out a message alerting me of its status and completion.

Thank you so much for your help and time!
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
As much as I love PowerShell: don't reinvent the wheel. Have a look at LAPS:
Local Administrator Password Solution (LAPS)
https://www.microsoft.com/en-us/download/details.aspx?id=46899
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I would not recommend to do it that way. What is a local admin good for? He cannot access domain resources.
Take one domain account per machine and make it admin, then activate it on demand and set the password on demand. In my eyes, that concepts is the most secure. You will never need to deal with lists or agents or even passwords - just a script: See my article: A concept for safe user support
CERTIFIED EXPERT
Top Expert 2014

Commented:
I would second the use of LAPS.  There are other products that are designed with LAPS in mind.  If you absolutely don't want to use that, then I would recommend the solution here - https://cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator-password-automatically-with-a-different-password-across-the-enterprise
There is more set up involved, but there's also some more flexibility.

In that link you will see some arguments made against LAPS, but in really looking at them, I don't find they have much merit.  For example storing the passwords in plain-text in AD - if your AD is compromised you have bigger worries.  The following link covers some of that.
https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solution-laps-implementation-hints-and-security-nerd-commentary-including-mini-threat-model/
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
@footech - did you look at my article? Compared to LAPS, it's easier to use for end user support and has the benefits of a domain account as opposed to a local account.

Author

Commented:
Thanks everyone for jumping on this . I will read up on your article today McKnife. LAP is also interesting. I will respond back very soon, as both ends of the candles' are keeping me busy.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Jason, why would you prefer LAPS?
CERTIFIED EXPERT
Top Expert 2014

Commented:
@McKnife - I read your article, and I think it would work for the majority of use cases (I'm sure it works for your purposes!).  But there are use cases for having a local admin account that I wouldn't ignore, like offline access.  I don't really like the idea of creating a domain user account for every machine either.  LAPS does take more to set up than your solution, but after it's done I'd say the ease-of-use is equivalent.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Offline access is never a problem.
Name other use cases that you can think, please, and I will write another article comparing the LAPS approach to mine.

Author

Commented:
I have went over the installation of LAPS. 100% certain that I have setup it up correctly. I have just about ever article on WHY LAPS refuses to reset the local admin password. I can set the expiration date on the domain computer, but that's it. I am watching the event viewer and it does not produce anything to help me out with this rabbit hole. Any help would be awesome. -Thanks
Annotation-2019-07-31-090012.jpg
CERTIFIED EXPERT
Top Expert 2014

Commented:
@McKnife - I'm not sure why you would say offline access is never a problem.  It certainly can be one.  My intention is not to poke holes in your solution however.  I think it has both strengths and weaknesses compared to LAPS.  

Some scenarios you may want to cover:
 - providing admin permissions to a user temporarily
 - RDP isn't working for whatever reason

For users of PDQ Inventory and PDQ Deploy, there is integration with LAPS.
Using your solution requires a little knowledge of scripting, especially to modify it for different use cases - certainly far from insurmountable, but some people will shy away from that.
CERTIFIED EXPERT
Top Expert 2014

Commented:
@jasonleethompson - Since LAPS depends on Group Policy, this is where I would focus first.  Make sure the GPO configuring the related settings is being applied to the target computer, GP refresh is occurring without error.  There's some debug logging that can be turned on but I've never used it.  You'll be better served by opening a new question for the problem, as this one is started out asking a different question and is already solved.