| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify local administrator accounts on domain systems are using unique passwords. If local administrator accounts on domain systems are sharing a password, this is a finding. It is recommended to use Microsoft's Local Administrator Password Solution (LAPS), which provides an automated solution for maintaining and regularly changing a local administrator password for domain-joined systems. LAPS can manage a single local administrator account. The default is the built-in administrator account; however, it can be configured to manage an administrator account of a different name. If additional local administrator accounts exist across systems, the organization must have a process to require unique passwords on each system for the additional accounts. The authorizing official (AO) may approve other automated solutions that provide this capability. Open "Windows PowerShell". Get-ADComputer -Filter * -Properties msLAPS-EncryptedPassword | Where-Object { $_."msLAPS-EncryptedPassword" -eq $null } | Select-Object Name The newer "Windows LAPS" function stores the LAPS password in the object attribute "msLAPS-EncryptedPassword" as long as the "encrypted" option was selected when setting up the LAPS GPO settings. This will check that location. If "encrypted" wasn't enabled when setting up LAPS, then adjust the search command to be "msLAPS-Password" instead. Review the returned list for validity. If any active/deployed Windows systems that are not managed by another process to ensure unique passwords for local administrator accounts are listed, this is a finding. If the query fails, the organization must demonstrate that passwords for local administrator accounts are properly managed to ensure unique passwords for each. If not, this is a finding.
Fix Text
Set unique passwords for all local administrator accounts on domain systems. It is highly recommended to use Microsoft's LAPS, which provides an automated solution for maintaining and regularly changing a local administrator password for domain-joined systems. If additional local administrator accounts exist across systems, the organization must have a process to require unique passwords on each system for the additional accounts. The AO may approve other automated solutions that provide this capability. See Microsoft Security Advisory 3062591 for additional information and download of LAPS. https://www.microsoft.com/en-us/download/details.aspx?id=46899