I'm curious if anyone has implemented LAPS to take care of DSRM passwords. I'm currently in the process of setting it up and wanted to gather some opinions before my change management meeting. Have any of you had experience with this, and if so, how has it worked out for you? Any issues you've encountered?
4 Answers
I don’t recommend LAPS for small environments—it feels risky and too much. For larger setups, I like that it can sync the DSRM password to a user account.
My biggest concern with using LAPS for DSRM is retrieving the password if Active Directory is down, which tends to be when you need it most.
We actually use LAPS for DSRM because, when I first started, there were no records of those passwords. I also save the passwords in our vault on a schedule, so I can access them even if the domain goes down.
I haven't used LAPS for DSRM passwords, only for desktops and servers. For DSRM, I prefer to store the passwords in a secure vault. The consensus from some more experienced folks in AD management seems to lean towards skipping LAPS for DSRM.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures