What do you do with your local administrator passwords? Spreadsheet on a share or are the passwords the same or are they disabled???
LAPS from Microsoft maybe the answer. Its a small program and some GPO settings, I'll cover the other bits in a moment, don't want to scare you off. Its not that bad
Firstly download LAPS from the Microsoft site
Copy the file to the Domain Controller and ensure that the account you are logged on with has 'Schema Admin'.
Install only the Management Tools.
As its a DC you wish not to install the 'Fat Client UI', but as its a Schema update I would always perform these on a DC directly for those just in case of moments.
Open Powershell and run the following command after seeking approval.
SELF will need updating on the OU's for your workstations and servers.
Add SELF as the Security Principal
Select 'Write ms-Mcs-AdmPwd
Now change the GPO settings on the OU's
The default is 14 characters but I would go higher and set above 20
Install LAPS on a client and select only the AdmPwd GPO Extension
On the Domain Controller open the LAPS UI and search and Set a client.
Once the password has reset open the properties of the client and check the ms-Mcs-AdmPwd for the new password of the client. Now every 30 days the local Admin password will be updated and unique.
Deploy the client with ConfigMgr to remaining estate
By default Domain Admin have access to read the password attribute and this can be delegated to a Security Group.