I'm not a system admin, but I'm working to identify and improve some security flaws in our small office. We currently use LAPS to manage local admin passwords across all client computers, which is a step up from using the same password everywhere. However, I've hit a snag: LAPS passwords can typically only be accessed with Domain Admin credentials, which makes it tough for me to retrieve them on my phone when I'm away from my desk.
I've read that it's a security risk to have Domain Admin accounts configured on all client machines, and I'm looking to address this as well. Right now, we have pretty strict LAPS password complexity requirements, but it can be a hassle when I don't have access to my computer and need to use Domain Admin credentials for administrative tasks, even if it's just for basic helpdesk stuff. Is there a convenient way to access these LAPS passwords without physically being at my desk? Any advice on best practices for reducing Domain Admin presence on client machines would also be appreciated!
1 Answer
One approach we've taken is to store LAPS passwords in Entra and set up a custom reader role. This allows less privileged IT admins to access LAPS without needing full Domain Admin privileges. It's a much safer setup since it limits access to just the specific machines a user needs. Just remember, if a machine is compromised, whoever gets in could potentially access that machine's LAPS passwords only, which is still way better than having a Domain Admin account everywhere. Might want to explore this option!
Interesting! So with this setup, if one machine gets compromised, it's not a total fallout for the network? It feels like a much better balance of security.