Educause Security Discussion mailing list archives

Re: Microsoft LAPS

From: "McCrone, Kevin" <kmccrone () ILSTU EDU>
Date: Fri, 19 Jul 2019 13:19:08 +0000

We have run into that issue, mostly with test virtual machines that are reset to a previous snapshot or checkpoint from 
before the last LAPS password change.  We use the Microsoft DaRT tool (part of MDOP) which includes a Locksmith 
capability to reset the password.  DaRT’s locksmith is Windows OS version specific, including Windows 10 build specific.

https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/dart-v10/overview-of-the-tools-in-dart-10

Good luck!
-- Kevin

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Harry Hoffman
Sent: Thursday, July 18, 2019 6:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Microsoft LAPS

[This message came from an external source. If suspicious, report to abuse () ilstu edu<mailto:abuse () ilstu edu>]
Just curious.

We’ve run into an issue where we need to restore a backup of a system and the local admin password is now out of sync 
with LAPS.

Have others run into this? And if so what’s your procedure for handling it?

Cheers,
Harry

On Fri, Jul 19, 2019 at 3:02 AM Brian T. Huntley <bhuntley () clarkson edu<mailto:bhuntley () clarkson edu>> wrote:
We've been running it on all domain-joined machines for a couple of years now.  Rollout was a snap and it's been 
glitch-free (*knocks on head*).

The only scenario we've had challenges with is when a machine ends up in some weird state where it think's it's fallen 
out of the domain but LAPS has nevertheless continued to roll over the password.  I think it's happened twice.  Our 
desktop folks chalked it up to yet another layer of badness on a machine that was probably already ripe for a re-image.

Brian

Brian T. Huntley, CISSP
Director of Network Services and Information Security
Office of Information Technology
Clarkson University
315.268.6723


On Thu, Jul 18, 2019 at 8:18 AM Manjak, Martin <mmanjak () albany edu<mailto:mmanjak () albany edu>> wrote:
Walter,

We rolled it out this spring to central IT supported systems. That success enabled us to promote it to the two other 
domains that are part of our forest and they are adopting it as well.

Next step is to inventory all the other accounts that are members of the local admin group and see what we can do to 
clean those up.

Marty Manjak
CISO
University at Albany

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of WALTER KERNER
Sent: Wednesday, July 17, 2019 5:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Microsoft LAPS

Hi all.  I found a thread from 2 years ago asking about Microsoft LAPS for local admin control.  Is anyone using it?  
How do you like it?  Any other suggestions for admin password management?  Thanks



Walter

Walter Kerner
Assistant Vice President and CISO
212 217 3415
[blue and black logo two lines png]

Current thread:

Re: Microsoft LAPS, (continued)
- - Re: Microsoft LAPS Jonathan Andrew Wince (Jul 17)
    - Re: Microsoft LAPS King, Ronald A. (Jul 17)
- Re: Microsoft LAPS Richard Applebee (Jul 17)
- Re: Microsoft LAPS Joey Rego (Jul 17)
- Re: Microsoft LAPS Seth A. Shestack (Jul 18)
  - Re: Microsoft LAPS Clark Gaylord (Jul 18)
- Re: Microsoft LAPS Joey Rego (Jul 18)
- Re: Microsoft LAPS Manjak, Martin (Jul 18)
  - Re: Microsoft LAPS Brian T. Huntley (Jul 18)
    - Re: Microsoft LAPS Harry Hoffman (Jul 18)
    - Re: Microsoft LAPS McCrone, Kevin (Jul 19)
- Re: Microsoft LAPS Dave Broucek (Jul 19)