none
Best Practice Local Admin Accounts

    Question

  • Hey there,

    I would like to deploy LAPS to manage local admin account on all our Client PC´s and Server. Unfortunately we also need at least one static local admin account to be able to start programs requiring local admin rights. We are using RunAsSpc for this.

    Is it recommended to build a Powershell Script which removes all obsolete local admins and creates a let´s say "RunAs" Admin with a static password and a second Admin which is managed by LAPS? Is it recommended to use this together with restricted group membership settings via GPO? As much as I know it´s not possible anymore to create a local admin (Static Password) via GPO.

    Thanks //Marvin


    Tuesday, May 17, 2016 10:13 AM

All replies

  • Hi Marvin,

    Thanks for your post.

    Is it recommended to build a Powershell Script which removes all obsolete local admins and creates a let´s say "RunAs" Admin with a static password and a second Admin which is managed by LAPS?

    >>>If there is such a script, I suggest you try it.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 18, 2016 11:38 AM
    Moderator
  • Hey, thanks for your answer. But I would like to know if it´s the recommended way to create local administrators via a script or is there anything else I should use. I don´t like the idea of storing the password in the script while deploying it.
    Wednesday, May 18, 2016 1:49 PM
  • Creating more local administrators across your org is going to defeat the purpose of LAPS, especially if they all have the same password.  Could you not do this with a GPO and logon script that runs as the computer?  This runs the script as system and is as close to local admin as you can get.  Can you give more background on the scripts that need to run and why?

    If it answered your question, remember to “Mark as Answer”.

    If you found this post helpful, please “Vote as Helpful”.

    Postings are provided “AS IS” with no warranties, and confers no rights.

    Wednesday, May 18, 2016 7:23 PM
  • For example we have multiple mechanics who have to edit com port settings at the windows device manager which is only possible as an administrator. Since they don´t have local admin rights we build a "Device Manager as Administrator" RunAsSpc. They need to do this outside the corporate network without internet access. Also there is a small tool to change their IP address to a preset of IP-Addresses which are used to connect to specific devices. Since we don´t want to enable them to enter any IP-Address we use this as a workaround.

    Thursday, May 19, 2016 8:01 AM