Good afternoon folks, I trying to figure out a thing or two for using Windows LAPS in our domain.
First , we do have legacy LAPS configured and used in our domain. We still have Servers with Windows Server 2k12R2 and 2k16. They both need to use the legacy LAPS because they are not supported for using Windows LAPS.
I was planning using emulation mode so that we do not introduce new ways to do things while some legacy configuration are around. So until we get rid of the older OSes, legacy emulation mode should remain.
I was planning to make two policies applied using WMI filters and only for LAPS:
One for the Windows LAPS config and the other for legacy LAPS config, both targeted to the proper OS.
Am I right in my configuration?
The way I am seeing it is:
- That using two policies, no servers should receive configurations that are not set for them.
- I can uninstall the legacy client on the newer servers and leave the old client on the older OSes.
- Helpdesk will continue to use the LAPS tool to retrieve the password.
- We still target the same account using both policies.
To achieve that config I will require to:
- Extend the schema for Windows LAPS.
- Configure two policies using WMI filters and configure the right options:
- On the one newer OS, I need both legacy and Windows LAPS policies set (Emulation mode only for the Windows LAPS).
- On the older OS policy, only the legacy one.
- Remove the legacy client on the new OSes.
Any idea or suggestion? Am I missing something about the requirements of both mode or any incompatibility using what I am planning to?
Thanks a lot for any comments.
Mathieu
