Re: Microsoft LAPS

["Haas, Mike" <mhaas () LRHSD ORG>]

I believe you should use caution if assigning local admin privileges in this fashion (GPO) – it’s a slippery slope to 
creating an ad hoc domain admin group. As you add users to the “Desktop Admins” group and then add computers to that 
group anyone of those users has local admin rights to anyone of those computers. This can come back to bite you if any 
of those users gets infected with malware that enumerates the network. We handle these types of needs on a case by case 
basis.  We also don’t allow anyone in the domain admin group  to login to workstations with their domain admin 
credentials. Those that have domain admin rights use their normal user to logon and utilize run as when needed.

Have been looking at implementing LAPS for local accounts. Right now it’s a one off situation per user.

-------------------------
Michael Haas
Information Technology Coordinator
Lenape Regional High School District

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Francisco Chavez
Sent: Tuesday, August 01, 2017 11:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Microsoft LAPS

John Rogers,

The way we do it..

We created a Security Group called “Desktop Admins” for example and then by using GPO we add this group to the PC and 
when a AD user is a member of this group he/she has local admin rights on the machine. By default PC’s joined to the 
domain allow domain admins as administrators on the PC but you really don’t want to hand out domain admin rights to 
just anyone. : )

Hope this helps...


Regards,
- Francisco Chavez

-----------------------------------------------------------------------------------
Francisco Chavez
Engineer, Network and Systems | Saint Mary's College of California
925-631-8236 | fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>

[cid:image001.jpg@01D30AC3.7D1EB020]

On Aug 1, 2017, at 8:18 AM, Rogers, John <john.rogers () OKSTATE EDU<mailto:john.rogers () okstate edu>> wrote:

Is anyone using Microsoft LAPS for computer admin password management? If so, does it work well? Any gotchas when 
implementing or using it? Any limitations we should be know about?

Thanks,

John Rogers
IT Security Engineer
Information Technology Department
Oklahoma State University
John.Rogers () okstate edu<mailto:John.Rogers () okstate edu>
405-744-2752

********************************************************** This electronic transmission and any documents transmitted 
as attachments contain information from the Lenape Regional High School District that may be proprietary, confidential 
and/or privileged under state or federal law. The information is intended for the sole use of the individual(s) or 
entity named above. The individual(s) or entity named above as the receipt of this information is expressly prohibited 
from disclosing this information to any other party unless required to do so by state or federal law or regulation. If 
you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of 
this electronic transmission and any document attachments is expressly prohibited. If you have received this electronic 
transmission in error, please notify the sender immediately by replying to the address listed above and delete or 
destroy all copies of the original electronic transmission. The Lenape Regional High School District does not ensure 
that any electronic transmission of health or educational information will be secure or virus-free, and the sender does 
not accept liability for any errors or omissions, viruses or security breaches which may arise as a result of this 
electronic transmission.vstaff20051130