Forum Discussion

Tien Ngo Thanh's avatar
Tien Ngo Thanh
Iron Contributor
Aug 10, 2019
Solved

Manage password administrator PC in Enterprise

Hi

   Please recommend help me about solution manage password in enterprise (about 9000 user)

   should be use LAPS to manage (win 10) ? I worry some if use this ? if the future Microsoft not develop for new version then how to uninstall because i see when install it will extends schema .

   what happen if PC offline about some month (DIsjoin domain) then when open again then can get password by LAPS ?

Best Regards ?

 

 

  • HidMov's avatar
    HidMov
    Aug 12, 2019

    Hey Tien Ngo Thanh 

     

    LAPS is to administer local admin passwords on a domain-joined computer. It can - if I recall correctly - only administer the default local admin on a machine or a secondary custom local admin on a machine but not both. 

    LAPS can be set so if the computer loses trust in the domain the password reset process will not take place - the password in AD is the current password even if it expires. Once computer regains trust, the password changes again.

     

    LAPS is a great solution to from a security point of view to mitigate pass-the-hash attacks or being compromised if a re-used local admin password is obtained by an adversary. If your concern is management of users passwords then LAPS will not help in that sense.

     

    Thanks,

    Mark 

3 Replies

  • HidMov's avatar
    HidMov
    Iron Contributor
    Aug 12, 2019

    Hey Tien Ngo Thanh 

     

    LAPS is to administer local admin passwords on a domain-joined computer. It can - if I recall correctly - only administer the default local admin on a machine or a secondary custom local admin on a machine but not both. 

    LAPS can be set so if the computer loses trust in the domain the password reset process will not take place - the password in AD is the current password even if it expires. Once computer regains trust, the password changes again.

     

    LAPS is a great solution to from a security point of view to mitigate pass-the-hash attacks or being compromised if a re-used local admin password is obtained by an adversary. If your concern is management of users passwords then LAPS will not help in that sense.

     

    Thanks,

    Mark 

    • Tien Ngo Thanh's avatar
      Tien Ngo Thanh
      Iron Contributor
      Aug 22, 2019
      Thanks , i will try install it and manage local administrator for PC and Server
  • HotCakeX's avatar
    HotCakeX
    MVP
    Aug 11, 2019

    You (as an admin?) want to mange passwords of 9000 people in your company/enterprise without an Active directory domain service? no i don't think you should use LAPS, i think you better use a Windows server and its roles.

Resources