Best Practices for Administering Servers with LAPS

You should really avoid using Domain Admin accounts for server administration outside of specially designed jump hosts. Ideally, every admin should have a personal user account for daily tasks and a separate admin account strictly for server management. Yes, it's a hassle juggling multiple accounts, but it significantly improves security and mitigates risks.

We use Just-In-Time (JIT) elevation for accessing Domain Admin functions. Each server has its own dedicated admin group, and those accounts are added to the local administrators group. It’s also worth mentioning that we enforce MFA for RDP access, which adds another layer of security.

Managing with local accounts in a domain setup isn't the way to go at all. It’s best to deploy accounts using a Restricted Groups GPO to ensure proper permissions. Members of the Protected Users group are safer and more compliant with current security practices.

Definitely create dedicated admin accounts for each admin, it helps keep things organized and secure. This way, you avoid using Domain Admin for day-to-day tasks. Plus, we’ve got a system in place where CyberArk rotates the passwords for us, and everything is monitored by our security team. We strictly use LAPS for the endpoints, but keeping separate accounts for admin tasks is crucial in my opinion.