The Windows local administrator account is only required when a machine is no longer connected to the domain. At other times it’s a backdoor into a server and its hard to audit who used the account.
This scheme manages the Windows local administrator account password resulting in a unique, complex password per Windows machine that change every month. It also provides a corresponding password recovery service via a secure, authenticated, audited intranet website (break glass in emergency style).
Year + Month + Hostname are concatenated and passed through a cypher to generate a long complex password that meets AD password complexity requirements.
Local administrator password is (re)set during machine startup. This is useful for systems that are restarted regularly. It can also be set via a centrally scheduled job (eg System Center Configuration Manager).
The cypher is within an encrypted executable and secured (at least from casual browsing) by NTFS permissions. Domain machine accounts have access to the cypher to change the local admin password at startup. Users do not have read access.
An Intranet website (Windows authentication and secured by AD group membership) can be used by IT support to recover the local administrator password for a specific machine after entering the hostname and referencing a support ticket. This recovery action is audited and the security department are alerted.
If the encryption scheme is compromised the cypher can be changed by modifying the salt and resetting all local admin passwords again via a centrally scheduled deployment job (SCCM).