We help IT Professionals succeed at work.

Using Local Administrator Password Solution (LAPS) to secure domain joined servers ?

Medium Priority
478 Views
Last Modified: 2016-06-26
Hi All,

Can I use or implement Local Administrator Password Solution (LAPS)  for all of my Production servers ?

https://www.microsoft.com/en-us/download/details.aspx?id=46899
https://technet.microsoft.com/en-us/mt227395.aspx

Does it going to interfere with Exchange, SharePoint or SQL Servers ?
Comment
Watch Question

Walter CurtisSharePoint AED
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
From the SharePoint point of view, the local administrator account has no influence, provided the machine is in a domain and SharePoint is correctly set up using domain accounts. Probably the same for Exchange and SQL, but I am just sure about SharePoint and not those two.

Hope that helps...
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
You can, no worries.
I would like to introduce my own approach which has several advantages over LAPS: https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
@Mcknife,
what's the LAPS feature that is lacking enhanced by your solution ?
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
The LAPS feature uses local accounts - you cannot act on domain resources with those. I use domain accounts.
The reason so many people make the mistake and use a member of the global group "domain admins" to administer a client is simply: they would like to have an account with administrative rights that can access domain resources, for example start a setup from a domain share. My solution offers this, LAPS does not.

Also, my solution is more practical. I click on a shortcut and enter the computername, immediately I get connected. With LAPS, we need more steps in between.

Then, LAPS stores passwords in AD and those need to be guarded - my solution does not store passwords, those accounts are also only activated on demand, not permanent like LAPS chooses to do.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
McKnife,

You are right, somehow with LAPS it works just fine on workstations, but for the server there is a problem, because some of them using Local Administrator to run scheduled task, hence it will broke them.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Thanks !