is it recommended to link LAPS group policy at the domain level?

afsar shariff 6 Reputation points

Hi All, Please advise if it is recommended to link the LAPS group policy at the domain level? what is the implication of doing it? Local administrator password solution Please provide the supporting Microsoft Learn on this question. Thanks!

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,141 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,191 Reputation points

    I tried to find some Microsoft Learn on this question, but without luck.
    Based on my research, LAPS group policy is based on computer configuration, you can deploy the policies on the OUs which containing PCs you want to manage through the LAPS, no need to deploy all the LAPS related GPO on the domain level.
    Operation details can be found in the operations guide

    Best Regards,

  2. DonPick 1,256 Reputation points

    reading several related discussions, it seems caution may be needed in case you link the LAPS GPO where it would be inherited/applied to the Domain Controllers, as the 'Domain Administrator' account might be affected by automatic pwd changes...

    0 comments No comments

  3. Mark Heitbrink 96 Reputation points

    It needs 3 conditions to get LAPS functional.

    1. the CSE / registered DLL on the client
    2. the SELF WRITE permission of the computerobject for the 2 attributes
    3. Enable LAPS by registry or GPO

    If LAPS GPO is linked on Domain Level it will not effect the systems, without condition 1 and 2. There is no impact or problem to link it there. Afraid of your DCs? No worry, simply do not install LAPS on them and do not grant SELF WRITE permission.

    0 comments No comments