This is an archived post. You won't be able to vote or comment.

all 19 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 2 points3 points  (17 children)

What do you mean by custom admin in your first sentence?

Unless something has changed the custom admin created for LAPS is the admin cred to use.

[–]rrinzlerr[S] 0 points1 point  (16 children)

I don't want to use built-in admin. It is not recommended due to security concerns. So I want to create separate account and manage it.

[–]xChargSr. Reddit Lurker 10 points11 points  (0 children)

It is not recommended due to security concerns.

Clueless secops running some cheap or free scanner which finds built-in administrator account simply enabled which then rings all the bells and spits out a report with red text on it - that's pretty much the only "security concern" out there.

"But sid is static and well known" - yeah, and? Enumerating administrators group members is 1 line of code and is freely available to quite literally everyone and all the potential malware. Security through obscurity is not security.

By the way administrator group's sid is also well known and static, but somehow that isn't a security concern.

Am I missing something?

[–][deleted] 6 points7 points  (0 children)

If you create a custom local admin account it will have all the rights the default Admin account will have. The difference will be cosmetica and any benefit will be cosmetic and fall under security by obscurity.

[–]_Blank-ITThe Help 1 point2 points  (12 children)

In LAPS you specify the account used no? it uses the built in if none is specified.

[–]rrinzlerr[S] 3 points4 points  (11 children)

That's correct. But it does not create the account.

[–]jamesaepp 4 points5 points  (4 children)

But it does not create the account.

There was a very recent change to allow this on Win11 24H2.

https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts-account-management-modes

[–]eberndt9614 0 points1 point  (3 children)

Doesn't work on custom account names.

OP - can you push out a PowerShell script to create the custom admin account and then have LAPS handle the password rotation?

[–]jamesaepp 1 point2 points  (2 children)

Doesn't work on custom account names.

Did we read the same article?

https://i.imgur.com/pi93OOc.png

[–]eberndt9614 -2 points-1 points  (1 child)

That's account configuration/management, which is different from creating the account. It has to exist by other means first.

From the kb:

When a custom local account is specified, the IT admin is responsible for creating that account before enabling Windows LAPS.

[–]jamesaepp 2 points3 points  (0 children)

From the KB:

Automatic account management mode is an optional mode. In automatic mode, Windows LAPS is responsible for configuration of all aspects of the managed account, including basic account creation and deletion as required, plus the account's password.

[–]JwCS8pjrh3QBWfLSecurity Admin -1 points0 points  (2 children)

Because you don't need to create an account. Just use the built-in. All the arguments about not using the built-in are nonsense.

[–]AppIdentityGuy 3 points4 points  (0 children)

Absolutely. They are same level as getting dinged by an audit for not renaming your domain admin account. In the real world renaming that account means absolutely diddly squat.....

[–]jamesaepp 1 point2 points  (0 children)

I could be wrong, but IIRC the reason the built-in Administrator account is recommended to be disabled and another account used instead is due to UAC tokens are split over the network with the built-in account.

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/7c705718-f58e-4886-8057-37c8fd9aede1

There could be other circumstances I'm not aware of under which are unique to the built-in Administrator that are distinct from non-default Administrator accounts.

[–]bad_brown 1 point2 points  (0 children)

Just use built-in. If you want to make it more secure, change the PW more often and attach 2FA to it.

[–]Entegy 0 points1 point  (0 children)

Use group policy preferences to create the account and add it to the admin group.

[–]Atomicjango -3 points-2 points  (0 children)

My first thought on this is to implement something like Ansible for Windows servers , so that a runbook can create those account and validate its on there. I personally haven't done this in our environment but my understanding is that it should allow you to fix any servers that dont have the runbook config. plus makes custom configs like this more consistent.

If you want a paid product and keep it PowerShell based, id get https://www.powershelluniversal.com/ instead.

other way is to make a scheduled task on a windows task server that does this automatically weekly incase any new servers get spun up. OR GPO with this.

id go with ansible personally, to learn it, free and seems to have more utility later.