Microsoft has released a tool for creating a common administrator login account for all domain-joined computers...
in an effort to reduce credential replay attacks.
Microsoft's Local Administrator Password Solution (LAPS) aims to stop the practice of using identical passwords for each computer by setting a random password for the common local administrator account on each computer in the domain. Domain administrators can then determine which users are given access to read the passwords.
Microsoft said that this tool should mitigate instances where compromised local account credentials can be used to elevate privileges and escalate an attack. Additionally, the tool should reduce the risk of a pass-the-hash credential replay attack in larger environments where local administrator credentials are needed for login without domain access.
The LAPS tool is designed to automatically manage local administrator account passwords on domain-joined computers. The passwords for each machine will be randomly generated and stored in Microsoft's Active Directory infrastructure, in a confidential attribute.