LAPS – Local Administrator Password Solution

A new capability is available to delegated OU customers.

What and When:

As of yesterday, a new capability is available allowing automated management of a Windows computer local admin password. This includes delegated password escrow.

What you need to do:

Use of this capability is optional and requires you to take action if you want to leverage it

Good management of your computer local admin passwords mitigates a key risk in the Microsoft ecosystem. This mitigation reduces the severity of compromises by helping to prevent lateral movement and subsequent privilege escalation.

Delegated OUs are strongly encouraged to consider implementing it. Please reference our customer documentation, https://itconnect.uw.edu/wares/msinf/ous/laps/, for details on how to get started.

More info:

Background on this capability was presented by Patrick Lavielle at the April meeting of the Microsoft Technology community, and a copy of the slide deck will be shared with that community–so follow the link and join that community, if you want that deck.

An analysis paper documenting our process of evaluating the problem of managing local admin passwords is published at https://wiki.cac.washington.edu/x/HFCIB. This includes our review of other solutions, the appropriateness of the plaintext password storage used by LAPS, and other details. Most of the content of this paper is in the slide deck mentioned above.

Brian Arkills

Microsoft Infrastructure service manager

UW-IT