We have recently appointed a new CISO who has asked us to rotate local admin passwords on all our Windows laptops every 15 days. I manage around 2800 laptops used by different teams, and they all share a single local admin account. I'm looking for the best options to implement this password rotation across our fleet. What solutions do you recommend?
5 Answers
If you’re looking for an alternative to LAPS, the SANS SEC505 course offers a script that can rotate local admin passwords, encrypt them, and save them to a file share. This method gives you the flexibility to schedule when it runs and can work for multiple accounts per machine, even without being domain-joined.
You should definitely look into Windows LAPS. It’s designed specifically for situations like yours, making password management really straightforward. Plus, it's free with Windows!
While LAPS is widely recommended, I've found a few issues with using it in complex environments. It’s good for offline access, but I prefer giving technicians specific roles for accountability, which can become complex with LAPS.
LAPS really is the way to go. It's easy to set up whether you're on-prem or using Intune, and it works well for a large fleet of devices.
I recommend considering tools like Admin By Request if your budget allows. They can help with password rotation and provide additional features for privileged access management.
We actually run LAPS through our RMM, and I can confirm it's a solid solution for managing admin accounts.