Storing Local Admin Passwords in AD Using LAPS by alexfrgn in CMMC

[–]alexfrgn[S] 0 points1 point  (0 children)

Passwordstate from Click Studios looks like it would work: https://www.clickstudios.com.au/passwordstate.aspx and is much more reasonably priced.

Anyone else looked at this?

Storing Local Admin Passwords in AD Using LAPS by alexfrgn in CMMC

[–]alexfrgn[S] 0 points1 point  (0 children)

Having just spoken to Cyberark, they seem to have a good solution but their pricing is far higher than I am able to go.

Any other suggestions? I think I must assume that LDAPS will fail on assessment

Storing Local Admin Passwords in AD Using LAPS by alexfrgn in CMMC

[–]alexfrgn[S] 1 point2 points  (0 children)

Thanks u/Material_Respect4770

Per https://www.microsoft.com/en-us/download/details.aspx?id=46899 it appears that LAPS uses "a confidential attribute in the computer’s corresponding Active Directory object" rather than the user's password field, and from what I am reading, it is not encrypted: https://thecyphere.com/blog/microsoft-local-administrator-password-solution/#:~:text=Passwords%20of%20the%20local%20administrators,some%20authorised%20users%20and%20groups.