question

afsarshariff-0182 avatar image
0 Votes"
afsarshariff-0182 asked ·

is it recommended to link LAPS group policy at the domain level?

Hi All, Please advise if it is recommended to link the LAPS group policy at the domain level? what is the implication of doing it? Local administrator password solution Please provide the supporting Microsoft docs on this question. Thanks!

windows-group-policy
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 

If there are any updates, welcome to share here!
Please feel free to let us know if you have any questions further.

Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered ·

Hi,
I tried to find some Microsoft docs on this question, but without luck.
Based on my research, LAPS group policy is based on computer configuration, you can deploy the policies on the OUs which containing PCs you want to manage through the LAPS, no need to deploy all the LAPS related GPO on the domain level.
Operation details can be found in the operations guide
https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS_OperationsGuide.docx

Best Regards,

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the answer

I agree LAPS group policy is based on the computer configuration. However I wanted to see what Microsoft says about this situation, there are environments where we have very dense OU structure and chances of missing the computer from LAPS coverage. In this case, can we link it to the domain? Since its a computer policy it will apply only to the computer objects.

Kindly advice

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT afsarshariff-0182 ·

Hi,
Yes, if you want to apply the LAPS policies to all the computers, the GPO can be linked to the Domain level.
You may also want to filter the policies for some specific computer, in this situation , you can use the security filter.

Best Regards.

0 Votes 0 ·
DonPickard-7259 avatar image
0 Votes"
DonPickard-7259 answered ·

reading several related discussions, it seems caution may be needed in case you link the LAPS GPO where it would be inherited/applied to the Domain Controllers, as the 'Domain Administrator' account might be affected by automatic pwd changes...

https://social.technet.microsoft.com/Forums/ie/en-US/a0b7c899-38c6-47c9-adf8-6f64744cb115/should-i-install-laps-on-a-domain-controller?forum=winserverDS

https://social.technet.microsoft.com/Forums/en-US/957edf9f-b80d-4a77-9450-175fe1be59f1/laps-has-changed-the-domain-administrator-password?forum=winserverGP

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Mark-Heitbrink avatar image
0 Votes"
Mark-Heitbrink answered ·

It needs 3 conditions to get LAPS functional.

  1. the CSE / registered DLL on the client

  2. the SELF WRITE permission of the computerobject for the 2 attributes

  3. Enable LAPS by registry or GPO

If LAPS GPO is linked on Domain Level it will not effect the systems, without condition 1 and 2. There is no impact or problem to link it there. Afraid of your DCs? No worry, simply do not install LAPS on them and do not grant SELF WRITE permission.



·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.