We help IT Professionals succeed at work.

Deploying LAPS

Links and hints for deploying LAPS would be helpful.
Which procedure available on the web is the one you  prefer?
Or, perhaps you just use Microsoft instructions as you set it up?

I found this:
https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-1.html ... and -part-2.html
Is it reasonable?  There are clearly a number of things that are needed that could be intrusive.

Particular "hints and kinks" that you suggest?
Warnings?
Comment
Watch Question

Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
We've worked with it and it is excellent. It gives us control over the systems and an avenue for users to make a change if it is necessary.

It's great at removing access for tinkerers.

Both parts are excellent write ups. Go for it!

Commented:
LAPS "just works".  You won't look back, got for it!

Steve

Author

Commented:
And, to access the passwords, an authorized user just does what?  I need to be able to instruct the users.
I don't need much here, just a quick comment so I can understand what I'll be telling them.

Commented:
Types in the computer name and reads the password:

LAPS-UI.png

Author

Commented:
Steve Knight:  Thanks.  Well, I'd seen that and assumed as much except:
This interface is running on a computer that the IT Tech is logged onto?  Or, is the app run "as administrator" on any computer?  or.....?

Suppose that the IT Tech is logged on via RDP as a Standard User and needs the local Admin password for some reason.
Then what do I tell them to do?  Back on out, open the app and then write down the password?  ugh..
I presume that Copy and Paste are the best way to go?

I know it would be a lot easier if I had an installation of LAPS to play with but, right now, I don't.
Sorry for asking such basic questions!
Distinguished Expert 2019
Commented:

I suggest to ask yourself "in what scenarios will I use LAPS?" before you start to set it up, because there are alternate concepts. I know this will raise eyebrows, but I don't consider LAPS to be a good concept for the most common scenarios.

Local admins may not access domain resources - they are limited by definition.


The most common scenario might be end user support - user calling, has a problem, problem needs administrative permissions to get fixed. If you use LAPS, you may remote into the machine and solve it as long as you don't need domain resources (like setup files) for it. If you do, you will need to use 2 accounts, the local admin and another domain account... you could of course ask the person that you support to download the setup from a domain share to a local folder, yes, but who wants that? You are giving support, you have to be independent! In my eyes, LAPS is very limited. Some might argue "use the RDP clipboard for file transfer!" - yes, possible, but very slow and also would it not even work with transferred scripts that reference domain resources.


Please look at my concept for safe user support, which can do without LAPS and can be setup in a few minutes:   https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html

Feel free to ask for clarification.

Author

Commented:
I need to be a bit more specific.
LAPS *will be* in use. Perhaps that doesn't matter.

Given that, there remains a need to support machine configurations while logged in as THE standard user, if you will....
This because of User profile-specific things needing to be configured.
And, in that context, there are times when at least "run as administrator" is necessary.
Thus, the need for:
- that which I asked about initially

It appears that one could use the McKnife approach in order to:
1) log in as the standard user with RDP
2) establish the admin as described and use it to "run as administrator"
Would that work?

The one concern I have is that the technicians are Windows configuration techs and not any good at scripts unless the scripts are canned and can simply be executed.  I guess some judicious editing could create an interactive command line / PS interface.
Distinguished Expert 2019

Commented:

If you want to give support within the user session, and do that comfortably, read   https://www.experts-exchange.com/articles/33768/Using-RDP-shadowing-for-convenient-user-support-and-remote-control.html

However, be aware that inserting passwords within the user session is never a good idea as it is insecure. The account that you utilise should be activated only for the time of support.

Distinguished Expert 2019

Commented:

Fred, your feedback is required.

Author

Commented:
Great comments and insights.  Thanks!