I had done a project to implement a local admin account password management system a few years ago, and just today stumbled across “Local Administrator Password Solution” aka LAPS – a free, officially supported Microsoft solution for managing local admin passwords within Active Directory. You can download it from Microsoft here. And here is a comprehensive writeup on some of the gotchas and tips for implementing LAPS.
Most IT departments have a common local admin account with a common password. This makes the one-off administrative change on a machine convenient, but it is a HUGE security threat. Not only can you not easily change the password on all your client PCs if someone that knows the password leaves the company, but hacker-types will target this type of account for brute force attacks (remember it’s a local account, so your AD password lockouts don’t apply). Once that hacker has that password, they have the administrator password to as many client PCs as this account is on (probably all of them?). ::shudder::
I hope to be doing this soon myself, and will make my own post once I do.