Creating and managing local Windows user passwords

After you create local Windows users, you still need to assign a password to each user. Instead of manually setting the passwords in Local Users and Groups, you'll set up the initial passwords for your local user accounts by way of a PowerShell script.

There is a sample script provided that you can use as a starting point:

C:\Program Files\Centrify\Centrify Agent for Windows\SampleNotification.ps1

In general, the script should both set passwords and notify you of changes in local accounts. The script will run after each synchronization of local accounts when the any of the following have occurred:

  • New local users are added
  • Local users are enabled
  • Local users are disabled
  • Local users are removed

Typically, the script should perform the following user account tasks:

  • Assign a random password to newly provisioned local users.
  • Provide the user account information, including the generated passwords, to your password management solution.

After you have the script set up, you can use group policy to automatically run it. . For details, see Local Account Management.

How you set up the passwords and the script depends on if you're using a password management system or not. Below are the ways you can set up local user passwords.

Use Privileged Access Service to manage local Windows account passwords:

  1. Register for Privileged Access Service.
  2. Download the Centrify Client for Windows software package.
  3. On each Windows computer where you will assign passwords to local users, run the cenroll command to register the computer as a managed resource.

  4. Create a PowerShell notification script that runs on each of these Windows computers, gives each user a random password, and sends the password to Privileged Access Service.

    In the script, you can set it to run the csetaccount command to send the password to Privileged Access Service. For details, see Commands included with the Centrify Client for Windows.

  5. Using one of the following two methods, configure the notification script to run after the agent synchronizes local account information:

    • In the local account management settings for the agent

      Agent settings > Local Account Management tab  > Configure > Local Account Management Configuration dialog box

    • In the group policy

      (Centrify Settings > Windows Settings > Local Account Management > Notification Command Line)

Use a third-party system to manage local Windows account passwords:

  1. Create a PowerShell script that runs on each of these Windows computers and gives each user a random password.

  2. Include a section in the script that submits the passwords to the password management product for storage and maintenance.
  3. Using one of the following two methods, configure the notification script to run after the agent synchronizes local account information:

    • In the local account management settings for the agent

      Agent settings > Local Account Management tab  > Configure > Local Account Management Configuration dialog box

    • In the group policy

      (Centrify Settings > Windows Settings > Local Account Management > Notification Command Line)