misc

Local Administrator Password Solution (LAPS)

October 31, 2019 LAPS, Password, Local, Administrator

Local Administrator Password

Imagine that you are an administrator for an organization that has a fleet of Windows devices. You do not want to set the local administrator password to the same on all device due to security concerns, therefore you disable the local administrator accounts. The device loses its trust with the domain controller and you are unable to get connected, what would you do in this instance? Reinstall Windows? Factory reset? If you have LAPS installed you have the local administrator password saved in AD.

Local administrator accounts can be helpful in allowing an administrator to manage a machine if a trust relationship fails with the domain. It could be viewed as a back door into the system that allows emergency access.

Benefits of using LAPS

  • Passwords are stored in the active directory schema

  • Passwords are rotated on a regular basis

  • Each machine will have a different password

  • It can update the account password even if you decide to rename the account

  • Passwords are protected by ACL

  • It is setup by GPO

  • When implemented correct it can help prevent lateral movement

    Head over to the Microsoft LAPS blog for more information. https://blogs.msdn.microsoft.com/laps/

More from misc