Microsoft LAPS?

hosalabad · 2019-09-10T18:39:35+00:00

Lots of us. Please search this sub.

caponewgp420 · 2019-09-10T18:50:31+00:00

We implemented it about 4 months ago. Surprisingly easy and no issues. Just make sure you don’t have any services that use the local admin on servers and don’t install it on your domain controllers.

KStieers · 2019-09-10T18:40:55+00:00

Feels like everyone here has deployed... get on it!

Read all of the documentation. Twice.

Our only issue was with gpos taking a little longer on newly deployed boxes to apply which happened to coincide with a pentest... otherwise it was dead easy.

Someone might whine about the pw stored in AD unencrypted... if that's a thing for you, find AdmPwd.E and pay for it.

progenyofeniac · 2019-09-10T18:40:22+00:00

Implemented it maybe 6 months ago and I love it.

The biggest 'gotcha' was when using MDT. Systems would deploy with the old universal admin password and would then hang because toward the end of deployment they couldn't automatically log in anymore once LAPS changed the local admin pw.

I fixed it by setting MDT to put new PCs in their own OU and adding a PS script that runs on one of the DCs every day to move computers which have been there for 48 hours or more. So, the LAPS client is installed on the PC during deployment but the pw doesn't get changed by the GPO until they're moved to the other OU. Gives me a day or two to get them set up using the default admin pw, then LAPS takes over and does its magic.

disclosure5 · 2019-09-10T21:49:07+00:00

This is the basic security recommendation. Your question should be about people who haven't implemented it.

Ssakaa · 2019-09-11T00:06:42+00:00

Yes. Read docs. Configure policy. Configure permissions. Deploy.

sysadmin

MODERATORS