none
SYNERGIX Local Account Password Management versus Microsoft LAPS

    Question

  • I have come across SYNERGIX Local Account Password management as an alternative to Microsoft LAPS.  

    http://www.synergix.com/products/active-directory-client-extensions/microsoft-laps-compared/

    Feature to manage the Local Account Password is offered for free under the First Feature Free ( promo code F3OFFER ).   Product seems promising.   Anyone using it already ?

    Unlike LAPS, there is no schema extension required, which is nice.


    Sunday, February 14, 2016 4:04 PM

Answers

  • Unlike LAPS, there is no schema extension required, which is nice.

    It's true that, before the tool can be used to manage passwords, the Active Directory (AD) schema must be extended. But it will only add two new required attributes (ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime), it won't have much effect on your existing AD environment.
     
    Also, the tool contains a PowerShell module to update the AD schema automatically.
     
    For SYNERGIX, I haven't tried it yet. If you encounter any issue when using it, you might want to seek assistance in it's official support forum. There you should get more professional responses.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, February 15, 2016 6:30 AM
    Moderator

All replies

  • Unlike LAPS, there is no schema extension required, which is nice.

    It's true that, before the tool can be used to manage passwords, the Active Directory (AD) schema must be extended. But it will only add two new required attributes (ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime), it won't have much effect on your existing AD environment.
     
    Also, the tool contains a PowerShell module to update the AD schema automatically.
     
    For SYNERGIX, I haven't tried it yet. If you encounter any issue when using it, you might want to seek assistance in it's official support forum. There you should get more professional responses.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, February 15, 2016 6:30 AM
    Moderator
  • There are commercial solutions out there that will generate and store the password in encrypted format unlike Microsoft LAPS which is clear-text implementation.  Microsoft LAPS stores clear-text password in confidential attribute which is good, however, one must be very careful how the delegation is setup across the enterprise ... certainly, a task that can be handled diligently.

    Few commercial products to consider before implementing Microsoft LAPS clear-text password / confidential attribute solution are ..

    Cyberark, requires additional infrastructure servers

    Synergix, requires no web, no sql and no changes in AD

    Libermann, requires web server + sql

    Thycotic, requires web server + sql

    I would consider a solution where  ..

    - Password is hidden ( Microsoft LAPS good for that )

    - Encrypts password ( need commercial solution )

    - Password is masked and can be copied in clipboard ( need commercial solution )

    - Authorized admins can RDP without providing local account credentials.  And password is changed when connection is terminated. ( need commercial solution )

    - Auditing ( LAPS leverages built-in windows auditing. Commercial product has their own audit logs) 

    - No Schema Changes ( need a commercial solution ) 

    - Checkout password ( need a commercial solution )

    Sunday, February 28, 2016 1:09 PM