Home/Labs/PowerShell and Admin Automation/Reporting and Audits
PowerShell and Admin AutomationReporting and AuditsIntermediate2-3 hours for initial setup and testingLab build

PowerShell Toolkit for Rotating Local Admin Passwords and Auditing Privileged Access Drift

Create a PowerShell toolkit for rotating local administrator passwords and checking privileged access drift across Windows machines.

Last reviewed4/30/2026
local admin drift
PowerShellWindows Task SchedulerActive Directory (optional)

Expected Outcome

A working PowerShell toolkit that ensures local admin passwords are rotated regularly and audits are conducted to detect any unauthorized changes in privileged access.

Assumptions

  • Windows PowerShell 5.1 or higher
  • Administrator access on target machines
  • Active Directory module for Windows PowerShell (for domain environments)
  • Basic understanding of PowerShell scripting

Bill of Materials

  • Windows operating system
  • PowerShell ISE or any text editor for scripting
  • Access to a domain controller (if applicable)

Build Steps

  1. Install Required Modules

    Ensure that the necessary PowerShell modules are installed for managing local users and groups.

    Example pattern only. Adjust for your environment before running.

    Install-Module -Name ActiveDirectory -Force
Install-Module -Name PSReadLine -Force
  2. Create Password Rotation Script

    Develop a PowerShell script that generates a random password and updates the local admin account on specified machines.

    Security-sensitive: review before running

    $password = [System.Web.Security.Membership]::GeneratePassword(16, 3)
Set-LocalUser -Name 'Administrator' -Password (ConvertTo-SecureString $password -AsPlainText -Force)
  3. Schedule Password Rotation

    Use Task Scheduler to automate the execution of the password rotation script at defined intervals.

    Changes system state: review before running

    schtasks /create /tn 'RotateLocalAdminPassword' /tr 'powershell.exe -File C:\Path\To\YourScript.ps1' /sc daily /st 02:00
  4. Develop Audit Script

    Create a script that checks for local admin accounts and compares them against a predefined list to identify any unauthorized changes.

    Safe to run: read-only

    $localAdmins = Get-LocalGroupMember -Group 'Administrators'
$expectedAdmins = @('Admin1', 'Admin2')
Compare-Object -ReferenceObject $expectedAdmins -DifferenceObject $localAdmins.Name
  5. Schedule Audit Checks

    Set up a scheduled task to run the audit script regularly to monitor for privileged access drift.

    Changes system state: review before running

    schtasks /create /tn 'AuditLocalAdminAccess' /tr 'powershell.exe -File C:\Path\To\AuditScript.ps1' /sc weekly /d MON /st 03:00

Validation

  • Verify that the local admin password is updated on the target machines after the scheduled rotation.
  • Check the output of the audit script for any discrepancies between expected and actual local admin accounts.

Troubleshooting

  • Check service logs before changing the design.
  • Confirm ports, paths, credentials, DNS names, and container names match the guide assumptions.

Cleanup or Rollback

  • Stop test services you no longer need and keep a copy of working configuration before deleting volumes or data directories.

Next Improvements

  • Implement logging for both scripts to track changes and actions taken.
  • Consider integrating with a centralized logging solution for better monitoring.
  • Explore additional features such as email notifications on password changes or audit results.