Disable LAPS temporarily or exclude domain administrator

Chicagotech.net 166 Reputation points
2022-04-23T02:01:57.257+00:00

After configuring Local Administrator Password Solution (LAPS), we find LAPS generates a password for domain administrator (we thought LAPS would manage Local computer administrator password only not domain administrator). Anyway, can we disable LAPS temporarily or exclude domain administrator from LAPS because we are worried about some applications such as backup may still use domain administrator credentials?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,778 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 39,501 Reputation points
    2022-04-27T07:59:56.083+00:00

    Hi there,

    Once LAPS are in place, the Group Policy client-side extension (CSE) installed on each computer will update the local administrator password in the following order.

    1. Generate a new password for the local administrator account.
    2. Validate the new password with the password policy settings.
    3. Save password under Active Directory computer object’s attribute ms-Mcs-AdmPwd. This attribute is added to the schema as part of the LAPS installation process.
    4. Save the next expiry date of the password under ms-Mcs-AdmPwdExpirationTime attribute. This attribute was also added to the schema as part of the LAPS installation process.
    5. Change the administrator password.

    So I guess your only option is to find the applications and force them not to use the domain administrator credentials.


    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  2. Chicagotech.net 166 Reputation points
    2022-04-28T20:03:32.717+00:00

    Thank you for the reply. One more question. As test, we find at least one of computers local administrator doesn't work. We have multiple IT people to try it. LAPS UI and Get-AdmPwdPassword -ComputerName pco1 shows the same password. But the PC doesn't take it. We also run gpupdate /force on the PC.

    What could be the problem?

    197504-image.png

    0 comments No comments

  3. Chicagotech.net 166 Reputation points
    2022-04-28T21:42:29.55+00:00

    Ok, we find the problem. Some apps and services use administrator account with original password to login. That locked the administrator account.

    0 comments No comments