I'm curious about the safety of having local admin accounts enabled on devices if LAPS (Local Administrator Password Solution) is running. I maintain some separate local admin accounts for our IT staff, but Microsoft consistently flags us for having local admin access. The reason I'm inclined to have these accounts is to facilitate remote support in cases where I can't access a device directly, and I believe it adds a layer of security. So, I'm wondering, is there a genuine risk involved in keeping the local admin account active?
6 Answers
Microsoft has definitely taken a stand against local admin accounts, so you'll always receive notifications if they’re enabled. Using LAPS helps boost security for those accounts if you really need them. Keep in mind that for a perfectly secure environment, you'd need to take all your devices offline—which isn’t realistic in most cases. You’ll likely face flags that might not make sense for your setup. To answer your question: Yes, there's always some risk involved, but if your other security measures are tight, having local admin accounts with LAPS isn't a huge concern.
Honestly, if LAPS is running, the need for a local admin account seems unnecessary. The whole purpose of LAPS is to manage those credentials and rotate the passwords.
I personally don’t see a problem with using the "Administrator" account on workstations while LAPS is in place. Sure, some argue against it since it’s a well-known account name, but just renaming it feels like relying on security through obscurity. Also, while it never gets locked out, things have changed a bit with Windows 11, where lockouts can happen for network logins. If someone gains console access, you still have bigger problems to worry about.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures