Re: Local Administrator password change for many computers

[George Chiorescu-Petre <George.Chiorescu () PROVISION RO>]

Why aren't you using group policy? I saw you looked into it.

George
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of H Morrow Long 
[morrow.long () YALE EDU]
Sent: Friday, October 05, 2012 8:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Local Administrator password change for many computers

There are a number of commercial vendor solutions of SAPM (Gartner term – Secure Administrator Password Management) 
packages to track, set, reset and invalidate local administrator and 'service' accounts across servers :

Cyber-Ark
Lieberman
Symark (PowerKeeper)
CA
Etc…

From: Jason Gates <jasongates () SOUTHERN EDU<mailto:jasongates () SOUTHERN EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Friday, October 5, 2012 12:20 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Local Administrator password change for many computers

Has anyone come across a good method for changing local administrator passwords on many computers?
I've looked into:
pspasswd from sysinternals
group policy preferences
SCCM scripts

I'm not impressed with how GPP obfuscates the password, scripts are insecure(?) and pspasswd is not very ellegant since 
it requires the computer to be alive at the time its run.
Any other ideas?
--
Jason Gates
IT Security Consultant
Southern Adventist University