GPO: Local Admin Password Reset

1 minute read


Follow these steps to update the a local administrator account via GPO. Note in GPO’s: If you want to make a computer change, you need to apply the policy to computer OU’s, if you want to make a user change, you need to make a policy for User OU’s.

NOTE: This does NOT follow best practices. You should implement LAPS instead.

To Resolve:

  1. Login to the Domain Controller and open up the Active Directory Users and Computers console to find the group of computers you want to make a change to.

  2. Open up the Group Policy Management console and find the corresponding group. Then right click => “Create GPO in this domain and link it here”.

  3. Name it something unique like “ResetLocalAdminPassword(departmentName)”.

  4. Go to Computer ConfigurationPreferencesLocal Users and Groups and right click in the empty space and select “New Local User”. In there it brings up the Properties box. Make sure to select “Update” for the action and the select your administrator account as the user name. Set the new password and tick the appropriate boxes at the bottom. After that is done, the policy will be applied to the computers in the OU on the next refresh (usually 30 min to 4 hours depending on size of domain).

  5. NOTE: This is version 1 of the GPO and will need to be replaced with a more secure version. The password for the admin account is not encrypted this way (but is scrambled) and can be de-scrambled using free tools off the Internet.