none
Can we disable all administrative users to change password of other local administrative users of a PC

    Question

  • Hi,

    We have LAPS (Local administrator password solution) implemented to control our custom admin account password so our scenario is as below-

    Domain - 2012

    Local Administrator Account (SID-500) is disabled.

    Custom Admin account is iAdmin (Controlled by LAPS)

    A domain users is added into local administrators group on his/her PC.

    Problem - Those domain users are able to reset password of iAdmin whomever are added to local administrators group of their PCs. Doing this, LAPS tool shows randomly generated password but that is not being accepted by iAdmin anymore. Altough password of iAdmin is renewed as per LAPS policy but till that time we face issues.

    Our client m/c are mixture of Windows 7, 8, 8.1, 10, 2008, 2008 R2, 2012 & 2012 R2.

    Any Solution ?


    Thanks, Rishi Pandit.


    • Edited by Rishi Pandit Friday, October 09, 2015 8:24 AM Added some content
    Friday, October 09, 2015 8:22 AM

Answers

  • Hello,

    As far as I know it is not possible. Local administrator will be able to change passwords or he will be able to grant password change permissions for himself. In my opinion the better way to implement it is to configure local accounts (names and passwords) using GPO policies and preferences. Even if that user will change any local account, that change will be overriden next time when policy will be applied.


    My LinkedIn profile

    • Marked as answer by Rishi Pandit Monday, October 12, 2015 6:41 AM
    Friday, October 09, 2015 10:05 AM

All replies

  • A domain users is added into local administrators group on his/her PC.

    ^ this is your problem...

    Don't give users this membership/permission, and so the user cannot perform any administrator-level functions.

    An admin is an admin is an admin....


    Don

    Friday, October 09, 2015 9:17 AM
  • Yeah, but we have to have to add them, because all are software engineers. They daily have to work/play with sql, registries, dll registrations, iis configurations etc.

    How could i solve this?


    Thanks, Rishi Pandit.

    Friday, October 09, 2015 9:58 AM
  • Hello,

    As far as I know it is not possible. Local administrator will be able to change passwords or he will be able to grant password change permissions for himself. In my opinion the better way to implement it is to configure local accounts (names and passwords) using GPO policies and preferences. Even if that user will change any local account, that change will be overriden next time when policy will be applied.


    My LinkedIn profile

    • Marked as answer by Rishi Pandit Monday, October 12, 2015 6:41 AM
    Friday, October 09, 2015 10:05 AM
  • Password expiration policy is set to 7 days, in LAPS.

    So if a user changes password of iAdmin as soon as new password is generated for any m/c then he will be able to use iAdmin for next 7 days??

    Withing these 7 days if our IT staff wants to login by iAdmin, then they will face issue. I want to avoid this. I am not sure, if this is the correct place to ask this question but anyways,

    Doesn't LAPS client checks and revert the password of managed account's to be same as its in AD before expiration time? meanwhile i am going thoroughly, through the LAPS technical document available on Microsoft.


    Thanks, Rishi Pandit.

    Friday, October 09, 2015 10:20 AM
  • Hi Rishi,

    LAPS will not revert the password of managed accounts. Also, there is no way to prevent users( who are members of local administrators group) from changing local administrator password.

    -Umesh.S.K

    Friday, October 09, 2015 11:06 AM
  • > Yeah, but we have to have to add them, because all are software
    > engineers.
     
    Same sad story every now and then... Either educate them or do not make
    them admins.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, October 09, 2015 6:16 PM
  • Password expiration policy is set to 7 days, in LAPS.

    Maybe consider modifying LAPS settings so that LAPS changes the iAdmin password every 1 day ?

    That would mean you would regain access to iAdmin the next day, and probably, these users would not be concerned with resetting iAdmin password every day.

    But also consider that these users do actually have the permissions to uninstall LAPS, or, deny/block the LAPS CSE anyway.


    Don

    Friday, October 09, 2015 9:09 PM