1

In my environment, I am trying to create two different local users for my all client pc; built-in-administrator as a backup account, and custom local admin for implementing LAPS. I am creating a backup account for any trust relationship break issue and other.

Since the Microsoft has disabled the function in the local user and group to create, modify or set the password from the GPO. Although, I am able to rename/update the built-in-Administrator account. I am trying to set password for my backup local admin via Script method from GPO. I tried several scripts, but it does not work. I have also given all the administrator rights for that user. Can anyone help me or guide me in this scenario?

Samrat Bikram Shah
  • 11
  • 1

1 Answers1

0

LAPS was built so you don't have to manually manage the local admins. You use LAPS, which is great, but still want to manage another admin account manually, defeating the purpose of LAPS in my opinion.

If you are worried about password history when restoring a client from backup, there was a newer LAPS released recently by Microsoft which supports exactly that. So even when you restore a client from backup, where the password was something else, you can look it up. Alternatively you can always restore the local admin password manually if you have console access to the machine (utilman.exe trick).

The backup scenario is really the only time when the password can get stale. Since when the LAPS client extension cannot communicate with a domain controller, it does not update the local admin password.

I would suggest you rethink what you are trying to achieve, because I think it would introduce unnecessary administrative burden.

David Trevor
  • 794
  • 1
  • 7
  • 22
  • Incase of domain trust relationship issue or other scenario, if the laps password gets expired then the laps password does not work. Do you have any suggestions on this scenario? How can a user access locally in that scenario? – Samrat Bikram Shah Aug 23 '23 at 06:37
  • When a client has no more trust relationship to the domain, the password update in Active Directory fails. So the password on the local machine stays the same. Also the value in Active Directory stays the same because it is not getting updated by the client. That means just look up the value in Active Directory to logon, as usual. – David Trevor Aug 23 '23 at 06:40
  • This means even if the password gets expired, when pc breaks trust relationship domain, the password works? What if it does not work? I think its a risk of matter thats why i was thinking of a backup account. – Samrat Bikram Shah Aug 23 '23 at 06:45
  • 1
    That is just how it works my man. If it cannot update the field in AD, it will not change the password on the machine. That is how it is programmed by Microsoft. You can check the official document here for a detailed description of the process: https://download.microsoft.com/download/c/7/a/c7aad914-a8a6-4904-88a1-29e657445d03/laps_technicalspecification.docx Also as I said, no matter the circumstances, there is ALWAYS the option to reset a local admin password via the utilman.exe trick. Nothing else but console access to the machine is required for that. – David Trevor Aug 23 '23 at 07:31
  • Ok I get it. On the other hand, I was wondering how can I create a backup local admin account centrally. Can you give me any ideas as I have tried to push via script method, but did not work. Although I will be using LAPS, this is for testing purpose only. – Samrat Bikram Shah Aug 24 '23 at 02:32
  • The problem is to make it really secure you would have to manage the password of each machine individually. The same password on all machines would be bad because clients naturally have a higher attack surface, and if one client gets compromised, the attacker can move laterally to other clients. So basically what you are asking is how to create a second LAPS. Which I think is a security risk and the negatives outweigh the benefits by far. What kind of important client machines would you need to have to warrant such drastic measures? – David Trevor Aug 24 '23 at 05:07