Implement LAPS in stages RRS feed

  • Question

  • We need to deploy LAPS in stages in our environment. I'm trying to figure out a way to plan this based on the current SCCM collections and OUs structure.

    SCCM collected all workstations in the collection.

    And computers are located in multiple different computer containing OUs.

    The plan is:

    1. Deploy LAPS client to all workstations in the environment (via SCCM collection).

    Then in stages,

    2. Configure AD permission, E.G. SELF permission on the computer containing OU (E.g. one OU per day); in the same time as  link the LAPS GPO only to the same OU.

    From my understanding, with only the LAPS client installed on computer. The computer will not be getting LAPS' password until the AD permission has been configured on that OU, I.E SELF permission or, until the LAPS GPO is applied.

    Can you confirm if this is correct?

    Thank you

    Thursday, June 2, 2016 7:30 AM