Not sure I am understanding you fully on this, but the point of LAPS is that you don’t have 1 password, as once that password is compromised, and it will be, it can be used on every other machine on your network.
If a machine running LAPS has its local admin password compromised, it is useless on the network, as its unique and random. Chris Barnes MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure Coretek Services | Microsoft Delivery Manager • 248.767.4415 cell • [email protected] • http://www.coretekservices.com<http://www.coretekservices.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Burke, John Sent: Wednesday, April 12, 2017 12:12 PM To: [email protected] Subject: [mssms] RE: Opinions Local Admin So it would seem everyone agrees that it should be done. I was even questioning that. It seems pretty easy to change it regularly via SCCM or GPO and have 1 password. I’ll look into that solution for sure though. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Chris Barnes Sent: April-11-17 6:18 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Opinions Local Admin Totally agree on LAPS. Probably the best ROI on effort for anything security related. Very easy to rollout. This is probably the best guide I have seen on rolling it out. https://flamingkeys.com/deploying-the-local-administrator-password-solution-part-1/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fflamingkeys.com%2Fdeploying-the-local-administrator-password-solution-part-1%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7Ce37944f3217648c422ce08d481c0b853%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276112102083059&sdata=JfwP82SLdsBbXMKQMcYcazvtkvlA78ZBpXBWaqNV%2BPM%3D&reserved=0> 2nd Place would be Credential Guard. Chris Barnes MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure Coretek Services | Microsoft Delivery Manager • 248.767.4415 cell • [email protected] • http://www.coretekservices.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.coretekservices.com%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7Ce37944f3217648c422ce08d481c0b853%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276112102083059&sdata=LVsj9Zr3UnteLJVt2usNgMltdM7%2BKqXmrJnUsmU92Rs%3D&reserved=0> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Tuesday, April 11, 2017 2:17 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Opinions Local Admin Use LAPS, no question. https://technet.microsoft.com/en-us/mt227395.aspx<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fmt227395.aspx&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C7e697dd0aae648c0e42808d48108f3ec%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636275322861559939&sdata=94Q%2BZ0hL0I8RWez55SIxeiJZ26Uv85DjPQrgWcBjPPs%3D&reserved=0> https://www.microsoft.com/en-us/download/details.aspx?id=46899<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D46899&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C7e697dd0aae648c0e42808d48108f3ec%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636275322861559939&sdata=4fzLYYwHS%2FG6ThhNe5HlAP0KmB5KHm7bDs25awaLnqA%3D&reserved=0> Daniel Ratliff From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Burke, John Sent: Tuesday, April 11, 2017 1:37 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Opinions Local Admin Hi, We are talking about creating unique local admin passwords for our systems (vs changing it regularly). I’m wondering how many folks actually create unique local admin passwords vs just changing it regularly? The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
