LAPS – Securing Local Administrator Accounts

LAPS (Local Administrator Password Solution) is a free solution provided by Microsoft that allows the security of workstations.

LAPS allows for each computer in OR to randomly generate a password for the local Administrator account and store it in an Active Directory attribute (ms-Mcs-AdmPwd). It ‘relies on the SID of the account which is structured in the same way on any post, which makes it possible to apply LAPS to any language of Windows or even to rename the administrator account.

It is also possible to configure a password expiration date (ms-Mcs-AdmPwdExpirationTime), which will force a new password for the Local Administrator account.

LAPS is in the form of “client / server”, it requires the installation of a part on the server (s) domain controller and the registration of a DLL on the client computers.

Prerequisites :

  • Minimum server: Windows 2003 SP1.
  • Minimum post: Windows 8.1.

If you are in an environment with multiple domain controllers, you must install the group policy definition on all servers or use a central store. In the second case, the files (% WINDIR% \ PolicyDefinitions \ AdmPwd.admx and% WINDIR% \ PolicyDefinitions \ en-US \ AdmPwd.adml) must be copied after installation to the central store.

Comments are not currently available for this post.