I've started testing with the new LAPS features (including the extended schema) on servers running 2019 and newer, but I still need to maintain support for server 2016. The documentation mentions that in a scenario where Legacy and New LAPS are used side by side, it's only feasible if we target different accounts. My specific situation involves targeting the built-in Administrator account. Are there alternative solutions, like using two GPOs with WMI filters—one for servers 2016 and below, and another for 2019 and above?
1 Answer
We opted to use a separate account instead of targeting the built-in Administrator. We leave the Administrator account disabled in our environment, just enabling it in case of emergencies. Honestly, using the same account for both LAPS versions seems unnecessary. You’d need a compelling reason to go that route.
Could you elaborate on the Administrator account being enabled in safe mode? Is this the default setting or controlled by a GPO? I'm looking to keep things straightforward with LAPS for my setup that spans from 2016 to 2025.
That sounds like a smart approach!