Information security is a complex subject comprised of many layers. A frequently overlooked layer is that of the Local Administrator password. As the name suggests, it is an all-powerful account on all clients and member servers.
There are several approaches for the management of Local Administrator passwords within an organisation, however, until recently these have been either very expensive, labour intensive or result in the same password being set on all client computers and static passwords for servers. To simplify this important security requirement, Microsoft have released the Local Password Administrator Solution (LAPS).
LAPS allows us to set centralised policies to automatically and securely set a unique and complex password on each system and update them on a schedule. The password is securely transported and stored against the computer object Active Directory (AD), so passwords are easily recoverable.
Using existing Group Policy and AD infrastructure means that the configuration and permissions can be tuned to specific requirements, for example, stronger requirements on servers or delegated access over specific clients.
Perhaps the best thing about LAPS is that it is free, so go ahead and automate best practice Local Administrator password practices today.
For assistance with the design and execution of LAPS please contact BDS.