none
Should I install LAPS on a Domain Controller?

    Question

  • We have installed LAPS on all of our computers. Should it be installed on the Domain Controller as well? 
    • Moved by nzpcmad1 Thursday, April 13, 2017 12:43 AM From ADFS
    Wednesday, April 12, 2017 10:43 PM

Answers

  • Hi,
    LAPS provides management of local account passwords of domain joined computers. However, on domain controllers no local administrator account exist. As Narayanan said, you could only start the machine in ADrestore mode with the password created during promotion to DC. 
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 14, 2017 8:47 AM
    Moderator

All replies

  • I dont think LAPS can be used to secure local admin password on domain controllers. At least ive not seen any documentation on that. But you can secure domain controller local admin password known as the DSRM or directory services restore mode password using the NTDSUTIL sync from domain account functionality.

    See more on that here

    https://blogs.technet.microsoft.com/askds/2009/03/11/ds-restore-mode-password-maintenance/

    Thursday, April 13, 2017 2:26 AM
  • Hi,
    LAPS provides management of local account passwords of domain joined computers. However, on domain controllers no local administrator account exist. As Narayanan said, you could only start the machine in ADrestore mode with the password created during promotion to DC. 
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 14, 2017 8:47 AM
    Moderator
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.
    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 21, 2017 2:42 PM
    Moderator
  • I believe that LAPS will only manage Local Admin accounts and not Domain accounts.  In order to manage the Local Admin accounts you will need to install the LAPS admin tools on the Domain controllers or PC with delegated rights that you would want to view the Local Admin passwords.
    Friday, April 21, 2017 2:51 PM