In this post I want to share with you some experience with LAPS (Local Administrator Password Solution). With this solution from Microsoft you can take care that the password of the local administrator accounts on your Windows Clients will be changed regularly. The Passwords are stored centrally in the Active Directory protected by ACLs.
It is a good idea to implement it in combination with changing the local administrator name to a unique name on every client in your environment. How you can do this I have described in this post: Powershell – Dynamic local Administrator Name . LAPS will still work, because it is based on the SID of the Account and not on the name.
First you should read the instructions by Microsoft which are not included in the msi download. You have to select LAPS_OperationsGuide.docx to get them.
Here you can Download LAPS: https://www.microsoft.com/en-us/download/details.aspx?id=46899
After this you should test the implementations in your test environment. (If you don’t have one, it is time to set it up)
This main Task have to be done:
- Schema extension of AD
- Set ACLs
- Add LAPS GPO Templates
- Create / link GPO
- Create / deploy Installation package for clients
Here you can find detailed Information about LAPS: https://technet.microsoft.com/en-us/mt227395.aspx