Educause Security Discussion mailing list archives
Re: Microsoft LAPS
From: "Haas, Mike" <mhaas () LRHSD ORG>
Date: Tue, 1 Aug 2017 16:46:12 +0000
I believe you should use caution if assigning local admin privileges in this fashion (GPO) – it’s a slippery slope to creating an ad hoc domain admin group. As you add users to the “Desktop Admins” group and then add computers to that group anyone of those users has local admin rights to anyone of those computers. This can come back to bite you if any of those users gets infected with malware that enumerates the network. We handle these types of needs on a case by case basis. We also don’t allow anyone in the domain admin group to login to workstations with their domain admin credentials. Those that have domain admin rights use their normal user to logon and utilize run as when needed. Have been looking at implementing LAPS for local accounts. Right now it’s a one off situation per user. ------------------------- Michael Haas Information Technology Coordinator Lenape Regional High School District From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Francisco Chavez Sent: Tuesday, August 01, 2017 11:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Microsoft LAPS John Rogers, The way we do it.. We created a Security Group called “Desktop Admins” for example and then by using GPO we add this group to the PC and when a AD user is a member of this group he/she has local admin rights on the machine. By default PC’s joined to the domain allow domain admins as administrators on the PC but you really don’t want to hand out domain admin rights to just anyone. : ) Hope this helps... Regards, - Francisco Chavez ----------------------------------------------------------------------------------- Francisco Chavez Engineer, Network and Systems | Saint Mary's College of California 925-631-8236 | fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu> [cid:image001.jpg@01D30AC3.7D1EB020] On Aug 1, 2017, at 8:18 AM, Rogers, John <john.rogers () OKSTATE EDU<mailto:john.rogers () okstate edu>> wrote: Is anyone using Microsoft LAPS for computer admin password management? If so, does it work well? Any gotchas when implementing or using it? Any limitations we should be know about? Thanks, John Rogers IT Security Engineer Information Technology Department Oklahoma State University John.Rogers () okstate edu<mailto:John.Rogers () okstate edu> 405-744-2752 ********************************************************** This electronic transmission and any documents transmitted as attachments contain information from the Lenape Regional High School District that may be proprietary, confidential and/or privileged under state or federal law. The information is intended for the sole use of the individual(s) or entity named above. The individual(s) or entity named above as the receipt of this information is expressly prohibited from disclosing this information to any other party unless required to do so by state or federal law or regulation. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of this electronic transmission and any document attachments is expressly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed above and delete or destroy all copies of the original electronic transmission. The Lenape Regional High School District does not ensure that any electronic transmission of health or educational information will be secure or virus-free, and the sender does not accept liability for any errors or omissions, viruses or security breaches which may arise as a result of this electronic transmission.vstaff20051130
Current thread:
- Microsoft LAPS Rogers, John (Aug 01)
- Re: Microsoft LAPS Francisco Chavez (Aug 01)
- Re: Microsoft LAPS Reyor, William F. (Aug 01)
- Re: Microsoft LAPS Francisco Chavez (Aug 01)
- Re: Microsoft LAPS Haas, Mike (Aug 01)
- Re: Microsoft LAPS Francisco Chavez (Aug 01)
- Re: Microsoft LAPS Reyor, William F. (Aug 01)
- Re: Microsoft LAPS Gioia, Matthew P. (Aug 02)
- Re: Microsoft LAPS Francisco Chavez (Aug 01)