Rotate Local Admin Passwords (LAPS)

Written By Mikel from Gorelo

This guide will help you set up automatic local admin password rotation in Gorelo. The script will create a local admin account (if it doesn't exist), assign it to the local administrators group, set a secure random password, and store that password in Gorelo for easy retrieval.

Step 1: Create the Required Custom Asset Field

  1. Navigate to Settings β†’ Assets β†’ Custom Fields

  2. Add a custom field with the following details:

    • Name: Local Admin Password

    • Variable: localadminpassword

    • Type: Text

    • Toggle on β€˜Show on Asset Detail’ and β€˜Blue value’

  3. Click Save

Step 2: Create the Script

  1. Navigate to Scripts

  2. Create a new script with the following details:

    • Name: πŸ” Set-LocalAdminPassword

    • Platform: Windows

    • Content: [Copy the PowerShell script provided below]

  3. Click Save

Example
# =========================================================================
# Simple Local Admin Password Management Script for Gorelo RMM
# =========================================================================

# Configuration variables - change as needed
$localAdminAccount = "localadmin"
$accountFullName = "Local Administrator"
$accountDescription = ""
$hideFromLogonScreen = $true  # Set to $false to show the account on logon screen

try {
    # Generate a strong random password
    $CharSet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+[]{}|;:,.<>?"
    $Password = ""
    $Random = New-Object System.Random
    
    # Create a 16-character random password
    1..16 | ForEach-Object { $Password += $CharSet[$Random.Next(0, $CharSet.Length)] }
    
    # Check if the account exists
    $userExists = Get-LocalUser -Name $localAdminAccount -ErrorAction SilentlyContinue
    
    if (-not $userExists) {
        # Create the account if it doesn't exist
        $securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
        New-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription -AccountNeverExpires | Out-Null
        Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
        Write-Output "Created local admin account: $localAdminAccount"
    } else {
        # Update password if account exists
        $securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
        Set-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription
        Write-Output "Updated password for: $localAdminAccount"
        
        # Check if user is already in Administrators group, add if not
        $adminGroup = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
        $isAdmin = $adminGroup | Where-Object { $_.Name -like "*\$localAdminAccount" -or $_.Name -eq $localAdminAccount }
        
        if (-not $isAdmin) {
            Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
            Write-Output "Added $localAdminAccount to Administrators group"
        }
    }
    
    # Configure account visibility on logon screen
    if ($hideFromLogonScreen) {
        # Hide the account from logon screen
        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
        if (-not (Test-Path $registryPath)) {
            New-Item -Path $registryPath -Force | Out-Null
        }
        Set-ItemProperty -Path $registryPath -Name $localAdminAccount -Value 0 -Type DWORD -Force
        Write-Output "Account hidden from logon screen"
    } else {
        # Show the account on logon screen (by removing the registry entry if it exists)
        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
        if (Test-Path $registryPath) {
            if (Get-ItemProperty -Path $registryPath -Name $localAdminAccount -ErrorAction SilentlyContinue) {
                Remove-ItemProperty -Path $registryPath -Name $localAdminAccount -Force
            }
        }
        Write-Output "Account visible on logon screen"
    }
    
    # Store the password in Gorelo RMM
    GoreloAction -SetCustomField -Name "asset.localadminpassword" -Value $Password
    Write-Output "Password stored in custom field"
    
} catch {
    # Output error to console for on-demand runs
    Write-Error "Error managing local admin account: $_"
    exit 1
}

Step 3: Deploy the Script via a Policy

  1. Navigate to Policies

  2. Edit an existing policy that covers the assets you want to manage local admin passwords for

  3. Add the 'πŸ” Set-LocalAdminPassword' script

  4. Set to run daily (recommended) or at your preferred interval

  5. Save and Distribute the policy

Step 4: View and Use the Stored Passwords

  1. Navigate to Assets

  2. Select any asset where the script has run

  3. View the Custom Fields section to see the stored Local Admin Password

  4. Click the reveal icon to display the password when needed

Customizing the Script

The script includes several variables at the top that you can modify:

$localAdminAccount = "localadmin" # The username for the local admin account $accountFullName = "Local Administrator" # The full name for the account $accountDescription = "" # The account description (optional)
$hideFromLogonScreen = $true # Set to $false to show the account on logon screen

Adjust these variables to suit your organization's needs before deploying the script.