Forum Discussion
Manage password administrator PC in Enterprise
Hi
Please recommend help me about solution manage password in enterprise (about 9000 user)
should be use LAPS to manage (win 10) ? I worry some if use this ? if the future Microsoft not develop for new version then how to uninstall because i see when install it will extends schema .
what happen if PC offline about some month (DIsjoin domain) then when open again then can get password by LAPS ?
Best Regards ?
- Hey Tien Ngo Thanh - LAPS is to administer local admin passwords on a domain-joined computer. It can - if I recall correctly - only administer the default local admin on a machine or a secondary custom local admin on a machine but not both. - LAPS can be set so if the computer loses trust in the domain the password reset process will not take place - the password in AD is the current password even if it expires. Once computer regains trust, the password changes again. - LAPS is a great solution to from a security point of view to mitigate pass-the-hash attacks or being compromised if a re-used local admin password is obtained by an adversary. If your concern is management of users passwords then LAPS will not help in that sense. - Thanks, - Mark 
3 Replies
- HidMovIron ContributorHey Tien Ngo Thanh LAPS is to administer local admin passwords on a domain-joined computer. It can - if I recall correctly - only administer the default local admin on a machine or a secondary custom local admin on a machine but not both. LAPS can be set so if the computer loses trust in the domain the password reset process will not take place - the password in AD is the current password even if it expires. Once computer regains trust, the password changes again. LAPS is a great solution to from a security point of view to mitigate pass-the-hash attacks or being compromised if a re-used local admin password is obtained by an adversary. If your concern is management of users passwords then LAPS will not help in that sense. Thanks, Mark - Tien Ngo ThanhIron ContributorThanks , i will try install it and manage local administrator for PC and Server
 
- You (as an admin?) want to mange passwords of 9000 people in your company/enterprise without an Active directory domain service? no i don't think you should use LAPS, i think you better use a Windows server and its roles.