First published on TechNet on Dec 10, 2018
Long overdue post revisiting the question about whether and when to block the use of local accounts, particularly for re...
Published Jun 18, 2019
Version 1.0
Blog Post
Hi again Aaron..
LAPS it's a great solution to avoid lateral movement in a domain if a machine has been compromised, but here in Europe, we have GDPR..
one of the requirements of GDPR is that every access performed to administer a machine, must be logged with all the information about the admin which is logging on.. as you can imagine if all the admin which logs on to a server use the same account, that is local Administrator, this requirement is not satisfied at all.. So, unless there is a better logging of the remote desktop session which logs everything about the remote client, passing also the username of the user logging in as Administrator, LAPS cannot be used to perform server administration..
Do you think you can speak with the MSTSC client group so they can improve the logging passing together with the client address also the real name of the user logging on as Administrator?? Without this information LAPS its useless in Europe..
Ciao
-mario