Yep. LAPS is the only recommended solution from MSFT, outside some special third-party tool. With the new ADMX Templates I don't even think you can set a Local Admin Password, at least not without getting a warning. LAPS was created because of a security flaw identified with that older method.
On Wed, Apr 12, 2017 at 11:42 AM, Chris Barnes < chris.bar...@coretekservices.com> wrote: > Not sure I am understanding you fully on this, but the point of LAPS is > that you don’t have 1 password, as once that password is compromised, and > it will be, it can be used on every other machine on your network. > > > > If a machine running LAPS has its local admin password compromised, it is > useless on the network, as its unique and random. > > > > > > *Chris Barnes* > > *MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure* > > *Coretek Services | Microsoft Delivery Manager * > > ( 248.767.4415 <(248)%20767-4415> cell > > * chris.bar...@coretekservices.com > > : http://www.coretekservices.com > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Burke, John > *Sent:* Wednesday, April 12, 2017 12:12 PM > *To:* mssms@lists.myitforum.com > *Subject:* [mssms] RE: Opinions Local Admin > > > > So it would seem everyone agrees that it should be done. I was even > questioning that. It seems pretty easy to change it regularly via SCCM or > GPO and have 1 password. > > > > I’ll look into that solution for sure though. > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Chris > Barnes > *Sent:* April-11-17 6:18 PM > *To:* mssms@lists.myitforum.com > *Subject:* [mssms] RE: Opinions Local Admin > > > > Totally agree on LAPS. > > > > Probably the best ROI on effort for anything security related. Very easy > to rollout. > > > > This is probably the best guide I have seen on rolling it out. > > > > https://flamingkeys.com/deploying-the-local-administrator-password- > solution-part-1/ > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fflamingkeys.com%2Fdeploying-the-local-administrator-password-solution-part-1%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7Ce37944f3217648c422ce08d481c0b853%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276112102083059&sdata=JfwP82SLdsBbXMKQMcYcazvtkvlA78ZBpXBWaqNV%2BPM%3D&reserved=0> > > > > 2nd Place would be Credential Guard. > > > > > > *Chris Barnes* > > *MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure* > > *Coretek Services | Microsoft Delivery Manager * > > ( 248.767.4415 <(248)%20767-4415> cell > > * chris.bar...@coretekservices.com > > : http://www.coretekservices.com > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.coretekservices.com%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7Ce37944f3217648c422ce08d481c0b853%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276112102083059&sdata=LVsj9Zr3UnteLJVt2usNgMltdM7%2BKqXmrJnUsmU92Rs%3D&reserved=0> > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Daniel > Ratliff > *Sent:* Tuesday, April 11, 2017 2:17 PM > *To:* mssms@lists.myitforum.com > *Subject:* [mssms] RE: Opinions Local Admin > > > > Use LAPS, no question. > > > > https://technet.microsoft.com/en-us/mt227395.aspx > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fmt227395.aspx&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C7e697dd0aae648c0e42808d48108f3ec%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636275322861559939&sdata=94Q%2BZ0hL0I8RWez55SIxeiJZ26Uv85DjPQrgWcBjPPs%3D&reserved=0> > > > > https://www.microsoft.com/en-us/download/details.aspx?id=46899 > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D46899&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C7e697dd0aae648c0e42808d48108f3ec%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636275322861559939&sdata=4fzLYYwHS%2FG6ThhNe5HlAP0KmB5KHm7bDs25awaLnqA%3D&reserved=0> > > > > *Daniel Ratliff* > > > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Burke, John > *Sent:* Tuesday, April 11, 2017 1:37 PM > *To:* mssms@lists.myitforum.com > *Subject:* [mssms] Opinions Local Admin > > > > Hi, > > > > We are talking about creating unique local admin passwords for our systems > (vs changing it regularly). I’m wondering how many folks actually create > unique local admin passwords vs just changing it regularly? > > > > > The information transmitted is intended only for the person or entity to > which it is addressed > and may contain CONFIDENTIAL material. If you receive this > material/information in error, > please contact the sender and delete or destroy the material/information. > > > > > > > >