In case you didn’t hear about it†, Microsoft released a new tool for management of the Local Administrator passwords for domain joined machines, Local Administrator Password Solution (LAPS) (Support KB, Download page).
This solution is configured via GPO, and causes EACH MACHINE to check the local admin account’s password expiration, and if it’s expired the machine will randomize its own password, and then store the new password in AD! Quoted from the Technet release page:
After years of telling us to simply disable the local admin account, and pretending domain trust failures didn’t happen, they’ve finally bit the bullet and are now offering a way to simply and easily automate local admin password management. In a single stroke, this solves three or four major security risks for domain joined machines, and automatically handles the largest source of panic admin credentials, the management of which is normally a giant manual hassle for IT departments.
†MS seems to be keeping this quiet. I heard about it from the SANS Internet Storm Center Daily Stormcast podcast this morning, who apparently found it 4 days after release by trolling new articles in the Microsoft Security TechCenter.