LAPS (Local Administrator Password Solution) was just released by Microsoft. LAPS is a GPO client-side extension that manages the creation and storage of unique client local administrator accounts (RID 500). This a big blow to pentesters and attackers who compromise one system’s local admin and rely on password reuse and pass-the-hash to get around to other machines. Needless to say this is awesome for those trying to secure their windows domain as it (nearly) automates the process of management of unique local admin accounts.
https://technet.microsoft.com/en-us/library/security/3062591