LAPS – the Local Administrator Password Solution – is a Microsoft framework that allows system administrators to remove shared local administrator passwords from their estate and replace them with a randomly assigned complex password that is stored on a per-machine basis in two new Active Directory attributes.
These attributes store the password and the password expiry date.
When LAPS is installed, a client component is added that allows the domain controller to manage client passwords. A simple UI tool which queries the AD attributes is also available. It’s output typically looks like this:
Normally the password expiry is one month out from its creation, so each month the password will change. Tachyon complements LAPS nicely by providing a workflow for accessing devices using LAPS credentials.
The product pack contains a single action, which is associated with a task, so that it can be invoked directly from the UI.
Product Pack notes:
LAPS: Request access to device using local account for user currently logged on to
- Request access to device WKSSC001 using local account administrator for user urth\joe.smith currently logged onto WKSSV001
This means that:
- The user urth\joe.smith would like to log on to the device WKSSC001 using the LAPS local administrator password (for the local administrator account).
- He is currently logged on to a device WKSSV001, which may or may not be the device from which he is launching the Tachyon action.
- Joe possesses a privileged account (urth\joe.smith.admin) that he uses ONLY for retrieving LAPS passwords. He is not logged on currently as this account.
- Tachyon will enforce workflow so that someone (let’s say, Bill, Joe’s boss) will approve Joe’s request.
You must log in to submit a review.