LAPS can't handle multiple accounts

Pavel yannara Mirochnitchenko 11,626 Reputation points
2022-05-03T09:57:46.253+00:00

I have a case, where all computers are shipped with LAPS production GPO where local admin account is renamed with AdminA and 30 days renewal. Then we have special groups of computers, where renewal is 180 days and name is AdminB. Basically small amounts computers are being transfered from production to special. The problem is, that a computer does pick up special policy with AdminB, but it does not change the account name and does not change the password renewal period. I have checked with gpresult /r that special computer gets special GPO policy and production policy is excluded. But seems like the LAPS client can't handle the renaming for a second time.

Is this something which LAPS does not support?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,735 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,749 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pavel yannara Mirochnitchenko 11,626 Reputation points
    2022-05-04T05:51:58.593+00:00

    I solved by creating new account with Group Policy Preferences.

    0 comments
  2. Limitless Technology 39,341 Reputation points
    2022-05-04T07:45:53.543+00:00

    Hi there,

    Yes, LAPS does not support this. LAPS can only store one password in the attribute. If you have multiple local admin accounts enabled on the computer, you are encouraged to disable all but one and have that one use LAPS.

    LAPS will look for the built-in Administrator account by default. If the built-in Administrator account has been renamed LAPS will still change that account's password. If you disable the built-in Administrator account and use your own local admin account in your image you can still leverage LAPS. You will need to create a GPO at your departmental level or lower that specifies the name of the local admin account you want to change the password on.

    You can read more about LAPS from here: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-how-to-configure-microsoft-local/ba-p/2806185

    LAPS with Multiple Accounts https://social.technet.microsoft.com/Forums/en-US/014e7994-58bc-4071-a264-eff4ce4628b5/laps-with-multiple-accounts?forum=winserversecurity

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments
  3. Pavel yannara Mirochnitchenko 11,626 Reputation points
    2022-05-12T06:45:11.807+00:00

    Actually I have still a problem, that when the account is changed from AdminA to AdminB, LAPS client still uses the 30 day policy for password changing, not 180 which is set to AdminB. GPO inherits right, but LABS client does not honor that. It is still somehow stuck with AdminA password lifecycle.

    0 comments