I'm trying to create a local administrator account on a Windows machine that has no network access, specifically to prevent any risks to our SMB server. The owner wants this local admin to assist a user who can't install apps by themselves, but if this user gets compromised, we need to ensure they can't access any wider company resources. I attempted to follow guidance to set up a Group Policy Object (GPO) for this, but I faced issues with the settings being greyed out. I've also looked into using PowerShell to create the account, which worked, but I'm unsure how to enforce firewall restrictions to prevent the local admin from disabling network access. Is pursuing Local Administrator Password Solution (LAPS) a good direction for my case? Any advice or additional resources would be appreciated!
2 Answers
Microsoft removed the option to set passwords through GPO a while back. If you're on a domain, LAPS is the way to go! Just a heads up, for Windows 11 you might need the built-in LAPS feature through Intune. Do you have Intune in your setup? If not, it might be trickier to solve this without additional software for managing permissions.
Using LAPS could be exactly what you need here. It helps manage local admin passwords on domain-joined computers, enhancing security. You should definitely check this link for more details: [LAPS](https://www.microsoft.com/en-us/download/details.aspx?id=46899) and see if it fits your situation.
Yes, I do have Intune; I wasn't sure if that would help. Thanks for clarifying!