Disable LAPS temporarily or exclude domain administrator

Question

After configuring Local Administrator Password Solution (LAPS), we find LAPS generates a password for domain administrator (we thought LAPS would manage Local computer administrator password only not domain administrator). Anyway, can we disable LAPS temporarily or exclude domain administrator from LAPS because we are worried about some applications such as backup may still use domain administrator credentials?

Answer 1

Hi there,

Once LAPS are in place, the Group Policy client-side extension (CSE) installed on each computer will update the local administrator password in the following order.

1. Generate a new password for the local administrator account.
2. Validate the new password with the password policy settings.
3. Save password under Active Directory computer object’s attribute ms-Mcs-AdmPwd. This attribute is added to the schema as part of the LAPS installation process.
4. Save the next expiry date of the password under ms-Mcs-AdmPwdExpirationTime attribute. This attribute was also added to the schema as part of the LAPS installation process.
5. Change the administrator password.

So I guess your only option is to find the applications and force them not to use the domain administrator credentials.

---

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Thank you for the reply. One more question. As test, we find at least one of computers local administrator doesn't work. We have multiple IT people to try it. LAPS UI and Get-AdmPwdPassword -ComputerName pco1 shows the same password. But the PC doesn't take it. We also run gpupdate /force on the PC.

What could be the problem?

Answer 3

Ok, we find the problem. Some apps and services use administrator account with original password to login. That locked the administrator account.