/build/static/layout/Breadcrumb_cap_w.png

Microsoft LAPS

Recently Microsoft released an updated version of LAPS (Local Admin Password System). We have a lab here at the office where I'm testing it on a DC & a few Windows boxes.  It works well, but here is my question.

It "appears" to only work with the "Built in admin" account, and not any created ones.  When we deploy a new box we disable the built in admin account and a script creates a new separate admin account.  Will this software monitor and change CREATED admin accounts & not just the built in one?  My suspicion is no it won’t, because it only monitors a specific common GUID that is related to the built in account.  Any thoughts or help is appreciated!

https://technet.microsoft.com/en-us/library/security/3062591.aspx


0 Comments   [ + ] Show comments

Answers (6)

Posted by: BoomStick 5 years ago
White Belt
0
This is not the case.  As can be seen in the screen shot of the GPO settings here, you can enable "Name of administrator account to manage" and specify the name of the account that you have created to replace the one with the -500 SID.
Posted by: BoomStick 5 years ago
White Belt
0
You are incorrect.  As you can see from the screen shot here, you can set the "Name of the administrator account to manage" to enabled and specify the name of the account that you used to replace the account with the -500 SID.
Posted by: anonymous_9363 5 years ago
Red Belt
0
To me, the language used makes it pretty clear:

Install LAPS to automatically manage local administrator account passwords

Note that 'local administrator account' is in the singular not the plural.
Posted by: anonymous_9363 5 years ago
Red Belt
0
Nice side-stepping of my question.

Moving on...where does my post try to instruct anybody on what a GUID is? I merely mention it to highlight the point that the account could be called anything you like, as Windows itself doesn't care. Did you mean to say "on where a GUID is used"? 

The OP asked:
Will this software monitor and change CREATED admin accounts 
Note the word 'accountS', plural. Answer? No, it will monitor and change only one, although that account doesn't have to be the built-in Administrator account, as we have discussed.

For me, this thread neatly illustrates the importance of phrasing questions and answers correctly. Had the OP asked "Will this software monitor and change an account with which we replace the built-in Administrator account?" perhaps we could've resolved the question without distractions.
Posted by: jegolf 5 years ago
Red Belt
-1
Dude - look at the FAQs:

Can LAPS manage a local administrator account not named “administrator”? 
Yes.

Comments:
  • But does this mean a "renamed" BUILT IN Local admin account, or does it mean a completely different local admin account that has been created? - Techie702 5 years ago
    • You should have an option within the group policy template to do so:

      https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-3/ - jegolf 5 years ago
    • I took this from the Executive Summary right after download: Purpose of this document is to provide reader with detailed technical specification of solution for management of password of local (built-in or custom) Administrator password on domain-joined computers (servers and workstations). - RolandoJohn 3 years ago
Posted by: anonymous_9363 5 years ago
Red Belt
-1
Dude, learn how Windows uses GUIDs not 'proper' names. How do you think it manages non-English versions of Windows?

@OP, using your lab, I'd say that you've answered your own question. Did it control the non-standard admin accounts? No.

Comments:

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ