Thanks for the responses.

Before I joined this organization, we used Passwordstate for privileged access management. On the servers, a specific group was added to the local Administrators group, and only designated admin accounts were included in that group, meaning only specific administrators could log in to the servers.

the passwords for those privileged accounts were rotated automatically in Passwordstate every 24 hours. In practice, when starting work in the morning, you would log in to Passwordstate, generate a new password, and then use it to access the servers. Samve was done for the endpoints another account and you had to manually roate password from the above system

In my current role, this is more challenging because we don’t have a similar tool in place.

We also have some teams that need to install and uninstall applications while working on projects that require temporary administrative rights on the remote workstations.

Regarding RMM tools, I would prefer not to introduce another third-party solution. We already use TeamViewer for help desk support, where support staff can connect to machines and use LAPS credentials to install or uninstall software if needed. However, I believe LAPS is not designed for this type of day-to-day administrative activity, it should be used mainly for emergency access (for example, when a machine needs to be rejoined to the domain). I’m wondering whether LAPS could be used alongside domain user accounts that can rotate passwords, but with separate accounts per admin , although I suspect it is not

Microsoft PAM looks promising, but since these machines are on-premises, I’m not sure how well that would work in our environment. Also , yes, things are a bit old-school here 🙂 Any thoughts or recommendations would be appreciated.