This feature assigns random complex password to the Administrator account. The Built-in Administrator Account Password Change After Checkout feature can be configured using the Administrative Template file that is provided with the software.
In a typical scenario, the IT Security Policy demands that the Built-In Administrator Account Password is reset and its password complies with the strict password policy ( typically, complex password with 8 to 14 characters that is changed every 60 days ) and is well secured. SYNERGIX AD Client Extensions software Built-In Administrator Account Management feature addresses this challenge.
Additionally, When this Built-In Administrator Account Password Change after checkout policy setting in enabled, the Password is marked as checked out. After the Expiration Interval ( maximum 2 hours ) has elapsed, the password is reset instead of waiting for the default interval of 7 days to elapse when the password will change even if it is not checked out.
The software generates unique and complex password string of length 8 to 48 characters for each computer and stores the encrypted value in Active Directory that can be retrieved by designated administrators only. The scope of administration is managed by using an Active Directory Security group. For example a security group SYNERGIX ADCE Managed Computers may be provisioned for this purpose. The security group contains the domain computer accounts ( of computers installed with the software ) and systems administrators’ domain accounts that must be allowed to retrieve password. Password are retrieve using the Admin Tools menu option in the same SYNERGIX AD Client Extensions software.
This article provides instructions on testing the SYNERGIX AD Client Extensions software. The Built-in Administrator Account Password Management feature is configured using the Administrative Template. After installing the Administrative Template file, the policy setting can be found under COMPUTER CONFIGURATION \ Administrative Templates \ SYNERGIX AD Client Extensions \ Local Users and Groups \Built-in Administrator Account Password Change After Checkout. The Explain tab of the Group Policy setting provides online instructions on configuring the feature.
- Microsoft Windows 7.0 or
- Microsoft Windows 8.1 or
- Microsoft Windows 10 or
- Microsoft Windows Server 2008 & R2 or
- Microsoft Windows Server 2012 & R2 or
- Microsoft Windows Server 2016
- .NET Framework 4.0
Active Directory Domain Environment
- Single Active Directory Domain environment i.e. Single Forest with Forest Root Domain only example. SYNERGIX.WIN
- You can setup a more complex Active Directory Domain environment, if needed. For example, one forest SYNERGIX.WIN with child domains US.SYNERGIX.WIN, and GB.SYNERGIX.WIN and a trusted forest SYNERGIXLABS.WIN with child domains US.SYNERGIXLABS.WIN, GB.SYNERGIXLABS.WIN
- Security Group(s)
- Create a security group called “SYNERGIX ADCE Managed Computers”. The group type may be Domain Global Group or Domain Local Group.
- Add the test domain computer(s) into the security group “SYNERGIX ADCE Managed Computers”
- Add systems administrators domain account(s) into the security group “SYNERGIX ADCE Managed Computers”
- Delegate Control
- Not applicable for configuring this feature
- Configure domain Group Policy Object
- Copy SYNERGIX AD Client Extensions Administrative Template file SYNERGIX-ADCE.ADMX to %SystemRoot%\PolicyDefinitions on admin workstation (must be Windows 7.0)
- Copy SYNERGIX AD Client Extensions Administrative Template Language file SYNERGIX-ADCE.ADML to %SystemRoot%\PolicyDefinitions\en-US on same admin workstation (must be Windows 7.0)
- Using GPMC.MSC, edit existing or new Group Policy Object.
Active Directory Domain Environment
- In Group Policy Editor, expand COMPUTER CONFIGURATION
- Expand Administrative Templates
- Expand SYNERGIX AD Client Extensions
- Expand Local Users and Groups
- Select Built-in Administrator Account Password Change
- Click on the Enable radio button to enable the policy setting
- Configure Run Interval as desired. It is recommended that you leave it as default value
- Configure Password Expiration Interval.when the password is retrieved it will wait for the password expiration interval to elapse before it resetting again.
- Before this feature or the Built-In Administrator Account Password Management feature is enabled, you must enable and configure the “Local Account Password Audit Policy” setting. You will find this setting under ..
- \ SYNERGIX AD Client Extensions
- \ Application Settings
- \ Audit Policy
- \ Local Account Password Audit Policy
- Ensure your (admin) account is member of the SYNERGIX ADCE Managed Computers security group
- Log into a domain computer with the domain account ( your admin account ) that has local administrative privileges on the workstation.
- Ensure the SYNERGIX AD Client Extensions specific Grou Policy settings were applied
- Launch RSOP.MSC or run GPRESULT.EXE /v to confirm
- Install SYNERGIX AD Client Extensions software
- After the software is successfully installed, double click on the orange icon in the system tray.
- You should see Admin Tools in the menu bar. it is visible only to members of the SYNERGIX ADCE Managed Computers security group.
- Select a computer from the list. Double click on it. You should be able to see the decrypted password string for the Built-in Administrator Account.. After the elapse time the password should change
- Note the previous password and changed password after expiration time elapsed .
- Note: You can use the Built-In Administrator Account Management GPO setting to manage the Built-In Administrator Account Password.
Test Results Submission
- Output of GPRESULTS.EXE /V command
Note: You must use ADCE \ Help \ Submit Log Files button to zip up above 3 files and submit