Disable LAPS temporarily or exclude domain administrator

Chicagotech.net 171 Reputation points
2022-04-23T02:01:57.257+00:00

After configuring Local Administrator Password Solution (LAPS), we find LAPS generates a password for domain administrator (we thought LAPS would manage Local computer administrator password only not domain administrator). Anyway, can we disable LAPS temporarily or exclude domain administrator from LAPS because we are worried about some applications such as backup may still use domain administrator credentials?

Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 39,926 Reputation points
    2022-04-27T07:59:56.083+00:00

    Hi there,

    Once LAPS are in place, the Group Policy client-side extension (CSE) installed on each computer will update the local administrator password in the following order.

    1. Generate a new password for the local administrator account.
    2. Validate the new password with the password policy settings.
    3. Save password under Active Directory computer object’s attribute ms-Mcs-AdmPwd. This attribute is added to the schema as part of the LAPS installation process.
    4. Save the next expiry date of the password under ms-Mcs-AdmPwdExpirationTime attribute. This attribute was also added to the schema as part of the LAPS installation process.
    5. Change the administrator password.

    So I guess your only option is to find the applications and force them not to use the domain administrator credentials.


    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  2. Chicagotech.net 171 Reputation points
    2022-04-28T20:03:32.717+00:00

    Thank you for the reply. One more question. As test, we find at least one of computers local administrator doesn't work. We have multiple IT people to try it. LAPS UI and Get-AdmPwdPassword -ComputerName pco1 shows the same password. But the PC doesn't take it. We also run gpupdate /force on the PC.

    What could be the problem?

    197504-image.png

    0 comments No comments

  3. Chicagotech.net 171 Reputation points
    2022-04-28T21:42:29.55+00:00

    Ok, we find the problem. Some apps and services use administrator account with original password to login. That locked the administrator account.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.