Hi there,
Once LAPS are in place, the Group Policy client-side extension (CSE) installed on each computer will update the local administrator password in the following order.
- Generate a new password for the local administrator account.
- Validate the new password with the password policy settings.
- Save password under Active Directory computer object’s attribute ms-Mcs-AdmPwd. This attribute is added to the schema as part of the LAPS installation process.
- Save the next expiry date of the password under ms-Mcs-AdmPwdExpirationTime attribute. This attribute was also added to the schema as part of the LAPS installation process.
- Change the administrator password.
So I guess your only option is to find the applications and force them not to use the domain administrator credentials.
--If the reply is helpful, please Upvote and Accept it as an answer–