is it recommended to link LAPS group policy at the domain level?

afsar shariff 6 Reputation points
2021-03-02T20:04:56.58+00:00

Hi All, Please advise if it is recommended to link the LAPS group policy at the domain level? what is the implication of doing it? Local administrator password solution Please provide the supporting Microsoft Learn on this question. Thanks!

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,917 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,306 Reputation points Microsoft Vendor
    2021-03-03T00:50:23.407+00:00

    Hi,
    I tried to find some Microsoft Learn on this question, but without luck.
    Based on my research, LAPS group policy is based on computer configuration, you can deploy the policies on the OUs which containing PCs you want to manage through the LAPS, no need to deploy all the LAPS related GPO on the domain level.
    Operation details can be found in the operations guide
    https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS_OperationsGuide.docx

    Best Regards,


  2. DonPick 1,261 Reputation points
    2021-03-07T04:15:40.493+00:00

    reading several related discussions, it seems caution may be needed in case you link the LAPS GPO where it would be inherited/applied to the Domain Controllers, as the 'Domain Administrator' account might be affected by automatic pwd changes...

    https://social.technet.microsoft.com/Forums/ie/en-US/a0b7c899-38c6-47c9-adf8-6f64744cb115/should-i-install-laps-on-a-domain-controller?forum=winserverDS

    https://social.technet.microsoft.com/Forums/en-US/957edf9f-b80d-4a77-9450-175fe1be59f1/laps-has-changed-the-domain-administrator-password?forum=winserverGP

    0 comments No comments

  3. Mark Heitbrink 96 Reputation points
    2021-03-11T10:39:29.29+00:00

    It needs 3 conditions to get LAPS functional.

    1. the CSE / registered DLL on the client
    2. the SELF WRITE permission of the computerobject for the 2 attributes
    3. Enable LAPS by registry or GPO

    If LAPS GPO is linked on Domain Level it will not effect the systems, without condition 1 and 2. There is no impact or problem to link it there. Afraid of your DCs? No worry, simply do not install LAPS on them and do not grant SELF WRITE permission.

    0 comments No comments