question

Chicagotechnet-3655 avatar image
0 Votes"
Chicagotechnet-3655 asked Chicagotechnet-3655 commented

Microsoft LAPS questions

We deployed LAPS and install LAPS on one of our domain controllers. Now, the domain administrator password changed, and we have some issues. If we want to deploy LAPS to all workstations only but not server and domain controllers, can we just remove the LAPS from the DC and install it on one of member servers? Also, in the GPO, add the computers we want to apply LAPS. Right?

windows-server-security
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Chicagotechnet-3655,

I would like to know how things are going on your end? If you have any further questions or concerns about this case, please feel free to let us know.


Best Regards,
Daisy Zhou



============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

LAPS console can be installed anywhere - it's just a GUI and doesn't do any actual work
on machiness you want to use LAPS, install agent
define GPO LAPS settings, apply to machines in scope
Both of above are very easy to target only workstations.

0 Votes 0 ·

Thank you!

0 Votes 0 ·

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello Chicagotechnet-3655,

Thank you for posting here.

From my experience and understanding, LAPS manages the password of the local administrator account of the domain-joined clients or servers on the domain controller.

The solution is built on Active Directory infrastructure. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks.


The following steps need to be performed to configure LAPS

1 Installation of GP CSE (Group Policy Client Side Extension) via MSI installation
1-1 On management computers
1-2 On clients to be managed
2 AD preparation
2-1 schema extension
2-2 Permission updates
3 Group policy configuration

Q: If we want to deploy LAPS to all workstations only but not server and domain controllers, can we just remove the LAPS from the DC and install it on one of member servers?
A: You can make one domain-joined machine server as the management computer instead of Domain Controller, and install AD DS management tool on this management computer, so I think you still need the domain administrator credential.

Q: Also, in the GPO, add the computers we want to apply LAPS. Right?
A: The GPO can be link to OU, if you want to deploy LAPS to all workstations only but not server and domain controllers, you can only add the computers you want to this OU.


Hope the information is helpful. If anything is unclear, please feel free to let us know.



Best Regards,
Daisy Zhou



============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.