Microsoft LAPS
Recently Microsoft released an updated version of LAPS (Local Admin Password System). We have a lab here at the office where I'm testing it on a DC & a few Windows boxes. It works well, but here is my question.
It "appears" to only work with the "Built in admin" account, and not any created ones. When we deploy a new box we disable the built in admin account and a script creates a new separate admin account. Will this software monitor and change CREATED admin accounts & not just the built in one? My suspicion is no it won’t, because it only monitors a specific common GUID that is related to the built in account. Any thoughts or help is appreciated!
https://technet.microsoft.com/en-us/library/security/3062591.aspx
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
BoomStick
9 years ago
This is not the case. As can be seen in the screen shot of the GPO settings here, you can enable "Name of administrator account to manage" and specify the name of the account that you have created to replace the one with the -500 SID.
Posted by:
BoomStick
9 years ago
You are incorrect. As you can see from the screen shot here, you can set the "Name of the administrator account to manage" to enabled and specify the name of the account that you used to replace the account with the -500 SID.
Posted by:
anonymous_9363
9 years ago
To me, the language used makes it pretty clear:
Note that 'local administrator account' is in the singular not the plural.
Install LAPS to automatically manage local administrator account passwords
Note that 'local administrator account' is in the singular not the plural.
Posted by:
anonymous_9363
9 years ago
Nice side-stepping of my question.
Moving on...where does my post try to instruct anybody on what a GUID is? I merely mention it to highlight the point that the account could be called anything you like, as Windows itself doesn't care. Did you mean to say "on where a GUID is used"?
The OP asked:
Will this software monitor and change CREATED admin accounts
Note the word 'accountS', plural. Answer? No, it will monitor and change only one, although that account doesn't have to be the built-in Administrator account, as we have discussed.
For me, this thread neatly illustrates the importance of phrasing questions and answers correctly. Had the OP asked "Will this software monitor and change an account with which we replace the built-in Administrator account?" perhaps we could've resolved the question without distractions.
Posted by:
jegolf
9 years ago
Dude - look at the FAQs:
Can LAPS manage a local administrator account not named “administrator”?
Yes.
Can LAPS manage a local administrator account not named “administrator”?
Yes.
Comments:
-
But does this mean a "renamed" BUILT IN Local admin account, or does it mean a completely different local admin account that has been created? - Techie702 9 years ago
-
You should have an option within the group policy template to do so:
https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-3/ - jegolf 9 years ago -
I took this from the Executive Summary right after download: Purpose of this document is to provide reader with detailed technical specification of solution for management of password of local (built-in or custom) Administrator password on domain-joined computers (servers and workstations). - RolandoJohn 7 years ago
Posted by:
anonymous_9363
9 years ago