locked
LAPS and Local Administration RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    After implementing LAPS, should I still use a domain account that is a local admin on each workstation for routine desktop administration?  This domain account's password will change frequently.

    Thanks!

    Rob Nunley

    Tuesday, April 14, 2020 12:39 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote
    Hello Rob,

    You are welcome and thank you so much for your feedback.

    According to my experience and knowledge, it seems that there is no best practice about this. We could manage this according to our situation and environment. Due to security, it is suggested that not to have any other local users with admin privileges. 

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by rnunley Wednesday, April 15, 2020 4:22 PM
    Wednesday, April 15, 2020 2:57 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hello,

    Thank you for posting in our TechNet forum.

    The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

    Usually we could add the domain users to local admin group as shown below. Then the domain user will be assigned with the admin rights. 



    According to my understanding, we could still use a domain account for routine desktop administration after implementing LAPS since it will not affect the domain account. LAPS is used to automatically manage local administrator passwords on domain joined computers. 

    For any question, please feel free to contact us.


    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Kapil.AryaMVP Tuesday, April 14, 2020 11:27 AM
    Tuesday, April 14, 2020 8:45 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Rob,

    if you want to avoid to leave usable Password hashes on a device, you could use the Local admin with LAPS instead of a domain Admin. But the Admin experiance is not so well. But you can use LAPS for Windows Admin Center or for PowerShell scripts with runs remote. 

    Here is a article from me, how to use LAPS within PowerShell scrips (Including audit and password reset): https://www.linkedin.com/pulse/using-auditing-powershell-scripts-microsoft-local-password-niesen/


    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.
    Please consider to mark this entry as helpful or solution if it helps or solved your issue.

    Tuesday, April 14, 2020 1:24 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for your responses!.  I guess my question is what is best practice/Microsoft recommendation?  After implementing LAPS, should I only have two accounts in the local administrators group on each PC - Local Administrator and Domain Admins group?

    Thanks again!

    Rob Nunley

    Tuesday, April 14, 2020 3:30 PM
  • Question
    Sign in to vote
    1
    Sign in to vote
    Hello Rob,

    You are welcome and thank you so much for your feedback.

    According to my experience and knowledge, it seems that there is no best practice about this. We could manage this according to our situation and environment. Due to security, it is suggested that not to have any other local users with admin privileges. 

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by rnunley Wednesday, April 15, 2020 4:22 PM
    Wednesday, April 15, 2020 2:57 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks much!

    Rob Nunley

    Wednesday, April 15, 2020 4:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hello,

    You are welcome. If there is anything else I can do for you, please do not hesitate to let me know and I will be very happy to help. Thanks.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 16, 2020 1:24 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    When supporting end users, how will you go about, if administrative permissions are needed to solve the problem? You will presumably read the LAPS password and logon from remote using RDP or powershell remoting. So far, all is well. Now when you need domain resources to solve your problem, what do you do, do you work with other credentials to overcome the limitation that what LAPS uses (the built-in local account "administrator") has no access to domain resources like file shares? Yes, you will need a second account that is entitled to be used anywhere you need to give support. Even if that's not a local admin, it is still a strong account since it allows logon anywhere. The concept is poor.


    Please look at my article for an alternate approach: https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html

    Sunday, April 19, 2020 11:48 AM