question

yannara avatar image
0 Votes"
yannara asked yannara answered

LAPS can't handle multiple accounts

I have a case, where all computers are shipped with LAPS production GPO where local admin account is renamed with AdminA and 30 days renewal. Then we have special groups of computers, where renewal is 180 days and name is AdminB. Basically small amounts computers are being transfered from production to special. The problem is, that a computer does pick up special policy with AdminB, but it does not change the account name and does not change the password renewal period. I have checked with gpresult /r that special computer gets special GPO policy and production policy is excluded. But seems like the LAPS client can't handle the renaming for a second time.

Is this something which LAPS does not support?

windows-10-securitywindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
0 Votes"
yannara answered

I solved by creating new account with Group Policy Preferences.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

Yes, LAPS does not support this. LAPS can only store one password in the attribute. If you have multiple local admin accounts enabled on the computer, you are encouraged to disable all but one and have that one use LAPS.

LAPS will look for the built-in Administrator account by default. If the built-in Administrator account has been renamed LAPS will still change that account's password. If you disable the built-in Administrator account and use your own local admin account in your image you can still leverage LAPS. You will need to create a GPO at your departmental level or lower that specifies the name of the local admin account you want to change the password on.

You can read more about LAPS from here: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-how-to-configure-microsoft-local/ba-p/2806185

LAPS with Multiple Accounts https://social.technet.microsoft.com/Forums/en-US/014e7994-58bc-4071-a264-eff4ce4628b5/laps-with-multiple-accounts?forum=winserversecurity



--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
0 Votes"
yannara answered

Actually I have still a problem, that when the account is changed from AdminA to AdminB, LAPS client still uses the 30 day policy for password changing, not 180 which is set to AdminB. GPO inherits right, but LABS client does not honor that. It is still somehow stuck with AdminA password lifecycle.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.