@Dashrender said:
@Brett said:
Also please note that you do not want LAPS to apply to domain controllers since they have no local accounts. It will change the domain's Administrator account password. I found that out while testing LAPS.
I still use it on servers, just not DCs.
Doh! it changes Domain Admin accounts - that's not cool. Though, I guess this means that your domain admin account name was the same as the local account? or are you talking specifically about the Administrator account?
I've changed the name of my Domain Administrator account so that's not an issue.
Yes, you're exactly right. So, as I'm sure you know but just to be clear, by default the built-in Administrator account is named Administrator on all Windows and Windows Server OSes. And when you upgrade a server to become a DC for the first time in an environment it converts that built-in Administrator account into the domain's Administrator account, and it's still named Administrator. (So suddenly you go from using ServerName\Administrator to the all-powerful NetBIOSDomainName\Administrator with the same password the first time you create a DC.)
LAPS by default changes the account named Administrator, whether it's just a local built-in account on a workstation or server or the domain account. So if you haven't changed LAPS away from the defaults and you haven't changed your built-in Administrator account (either on a workstation or on the DCs) it will change their password.
I like to leave the built-in Administrator accounts alone on the workstations. They're disabled by default and when you first install Windows it has you create an alternative local admin account anyway. So I figure there's some purpose behind that. Plus, I've read that even if you rename the built-in Administrator account it's trivial for attackers to find them b/c their SID is unique and stays the same no matter what the name is changed to. It's another example of how security through obscurity doesn't really work. So that's why I opt to leave them disabled and create an account named LocalAdmin instead and I change the LAPS policy to target these for password changes.
Regarding the built-in domain administrator account named Administrator, I generally leave it in the hands of my clients, as an in-case-of-emergency-use-this-account. But for everyday administration it's never touched. So I just don't apply the LAPS GPO to the DC OU to be absolutely sure, but by the fact that I have the LAPS policy changed to target accounts named LocalAdmin it shouldn't affect them anyway.
I hope that made sense!