Start Using Windows LAPS

-

 🎯Stop Sharing Local Admin Passwords - Start Using Windows LAPS.

We just finished a clean rollout of Windows LAPS to our workstations and moved from “shared local admin creds” to unique, rotating passwords with delegated access.

💠Why we did it:
🔸 Stop shared local admin passwords.
🔸 Enforce least privilege (no “Domain Users” in local Administrators).
🔸 Give EUC Team/Helpdesk a safe, auditable way to view/rotate device-specific passwords.

💠What we implemented:
1. Tightened local Administrators with GPO Preferences → Local Users & Groups (Action = Replace). Only our support group + built-in Administrator remain.
2. Rolled out Windows LAPS with encryption enabled and delegated Read/Reset on the workstation OU.
3. Added EUC Team/Helpdesk to Authorized password decryptors in the LAPS GPO so they can decrypt in ADUC/PowerShell.
4. Validated rotation with Get-LapsADPassword + Reset-LapsPassword -Identity <PC>.

💠Exact steps that worked:
🔸 Prepare the admin box (Win10/11 or Server 2019/2022, fully updated):
 Get-Module -ListAvailable LAPS (should exist); install AD RSAT if needed.
🔸 Local Admins policy (one GPO):
 Administrators (built-in) → Replace, Members: <YourSupportGroup>, (optional) Domain Admins, Administrator (built-in).

🔸 LAPS policy (second GPO):
1. Enable password backup → Enabled → Active Directory.
2. Password settings → Enabled (Length ~20, Complexity On, Age 7–14 days).
3. Enable password encryption → Enabled.
4. Authorized password decryptors → add your EUC Team/Viewer groups.
5. (Optional) “Name of admin account to manage” → set if you use a custom local admin

🔸Delegate on the OU (PowerShell):
1.  Update-LapsADSchema
2.  Set-LapsADComputerSelfPermission -Identity "<OU DN>"
3.  Set-LapsADReadPasswordPermission  -Identity "<OU DN>" -AllowedPrincipals "<YourSupportGroup>"
4.  Set-LapsADResetPasswordPermission -Identity "<OU DN>" -AllowedPrincipals "<YourSupportGroup>"

💠Trigger + verify on a pilot PC:
 🔸gpupdate /force ; Invoke-LapsPolicyProcessing -Verbose
 🔸Get-LapsADPassword -Identity "<PC>" -AsPlainText
 🔸Reset-LapsPassword -Identity "<PC>" (then read again—password/expiration change)

💠Results
🔸No broad local admin rights on endpoints.
🔸Unique, rotated passwords in AD, visible only to delegated roles.
🔸Clean handoff to EUC Team/Helpdesk with PowerShell/ADUC access and full auditability.
For more details👉https://is.gd/Bvd2QP

Comments

Post a Comment

Popular posts from this blog

VMware:- Esxi Log File Locations

-
Enable SSH and connect the host through CLI tool-  *Authentication- /var/log/auth.log *ESXi host agent log - /var/log/hostd.log *Shell log - /var/log/shell.log *System messages - /var/log/syslog.log *vCenter Server agent log - /var/log/vpxa.log *Virtual machines - The same directory as the affected virtual machine's configuration files, named vmware.log and vmware*.log. For example, /vmfs/volumes/datastore/virtual machine/vmware.log *VMkernel - /var/log/vmkernel.log *VMkernel summary - /var/log/vmksummary.log *VMkernel warnings - /var/log/vmkwarning.log *Quick Boot - /var/log/loadESX.log *Trusted infrastructure agent - /var/run/log/kmxa.log *Key Provider Service - /var/run/log/kmxd.log *Attestation Service - /var/run/log/attestd.log *ESX Token Service - /var/run/log/esxtokend.log *ESX API Forwarder - /var/run/log/esxapiadapter.log
Read more

ESX and vCenter Alarms

-
Image
  Definition An  Alarms  is a   notification  that are activated in response to an event, a set of conditions, or the state of an inventory object. An alarm definition consists of the following elements in the vSphere Client: ·  Name and description - Provides an identifying label and description. ·  Targets - Defines the type of object that is  monitored. -  VM\  DataSore \N\W  etc. ·  Alarm Rules - Defines the event, condition, or state that triggers the alarm and defines the notification severity. It also defines operations that occur in response to triggered alarms. ·  Last modified - The last modified date and time of the defined alarm.   Alarm categories – Alarms have the following severity levels: ·  Normal –  green  -   Status is Good. The health of the object is Normal ·  Warning – yellow  -  Status is Warning – The Object experiencing Some Problem ·  Ale...
Read more

Convert VMware Snapshot into Memory Dump

-
Image
  Convert VMware Snapshot into Memory Dump Background   This document explains about generating a memory dump for a VMWare Virtual Machine when the machine becomes unresponsive. VM becomes unresponsive for various reasons, you may not be able to get into any OS related settings or access any application. Even users may get not be able to access any shares or resources of this machine.   In this type of situation Memory dump would be required to  analyze  the cause. Even if the OS is configured to generate a Memory Dump for System Crashes, it would not be able to generate a Memory Dump for System Unresponsiveness most of the  times. But  with a VMWare VM, you can take a snapshot of the machine when it is unresponsive and then use vmss2core.exe tool to convert the snapshot to a Memory Dump. The target audience for this information is any technician that is responsible for creating and deleting snapshot in the Levi virtualization environment.   Note ...
Read more