Before you consider what I want to achieve as insane from a security standpoint, please continue reading:
I'm setting the password for the local admin account on all computers in the domain with a startup script which contains the password in cleartext, of course.
I have limited file permissions to the script and only Domain Computers and Domain Admins accounts can access the file.
To keep it short, do you still consider what I want to do as insane or is this OK from a security standpoint?
sincerely,
fjf2002
EDIT
My use case is as follows:
I just need the local admin accounts in case of a fallback scenario: A computer drops out of the domain or its network adapter goes broken or something like that and then I'd need the local admin account.
In the domain that I'm administering from now on, different computers have different local admin passwords, and the previous administrator (from whom I took over) can't remember the credentials he once set so I thought I had to reset them all.
Best Answer
Your situation is the perfect use-case for LAPS (Local Administrator Password Solution).
It's a free tool from Microsoft to automatically manage the local admin passwords on domain joined Windows machines and keep them stored in AD that you can look up whenever you need them. There are a number of guides out there for setting it up. But if I recall correctly, it mostly consists of getting the agent deployed (doable via GPO software deployment) and configuring a couple group policy settings that tell the agent how often to rotate the password.