Recently Microsoft released an updated version of LAPS (Local Admin Password System). We have a lab here at the office where I'm testing it on a DC & a few Windows boxes.  It works well, but here is my question.

It "appears" to only work with the "Built in admin" account, and not any created ones.  When we deploy a new box we disable the built in admin account and a script creates a new separate admin account.  Will this software monitor and change CREATED admin accounts & not just the built in one?  My suspicion is no it won’t, because it only monitors a specific common GUID that is related to the built in account.  Any thoughts or help is appreciated!

https://technet.microsoft.com/en-us/library/security/3062591.aspx

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

0
This is not the case.  As can be seen in the screen shot of the GPO settings here, you can enable "Name of administrator account to manage" and specify the name of the account that you have created to replace the one with the -500 SID.
Answered 06/05/2015 by: BoomStick
White Belt

Please log in to comment
0
You are incorrect.  As you can see from the screen shot here, you can set the "Name of the administrator account to manage" to enabled and specify the name of the account that you used to replace the account with the -500 SID.
Answered 06/05/2015 by: BoomStick
White Belt

Please log in to comment
0
To me, the language used makes it pretty clear:

Install LAPS to automatically manage local administrator account passwords

Note that 'local administrator account' is in the singular not the plural.
Answered 06/07/2015 by: VBScab
Red Belt

Please log in to comment
0
Nice side-stepping of my question.

Moving on...where does my post try to instruct anybody on what a GUID is? I merely mention it to highlight the point that the account could be called anything you like, as Windows itself doesn't care. Did you mean to say "on where a GUID is used"? 

The OP asked:
Will this software monitor and change CREATED admin accounts 
Note the word 'accountS', plural. Answer? No, it will monitor and change only one, although that account doesn't have to be the built-in Administrator account, as we have discussed.

For me, this thread neatly illustrates the importance of phrasing questions and answers correctly. Had the OP asked "Will this software monitor and change an account with which we replace the built-in Administrator account?" perhaps we could've resolved the question without distractions.
Answered 06/08/2015 by: VBScab
Red Belt

Please log in to comment
-1
Dude - look at the FAQs:

Can LAPS manage a local administrator account not named “administrator”? 
Yes.
Answered 06/07/2015 by: jegolf
Red Belt

  • But does this mean a "renamed" BUILT IN Local admin account, or does it mean a completely different local admin account that has been created?
    • You should have an option within the group policy template to do so:

      https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-3/
Please log in to comment
-1
Dude, learn how Windows uses GUIDs not 'proper' names. How do you think it manages non-English versions of Windows?

@OP, using your lab, I'd say that you've answered your own question. Did it control the non-standard admin accounts? No.
Answered 06/08/2015 by: VBScab
Red Belt

  • This content is currently hidden from public view.
    Reason: Removed by member request
    For more information, visit our FAQ's.
Please log in to comment
Answer this question or Comment on this question for clarity