Local Administrator Password Solution FAQs
- Has the ISO approved the use of LAPS on campus?
Yes, the ISO has approved the use of LAPS on campus.
- Who has access to the password stored in Active Directory?
Anyone with Full Control permissions on a computer object in AD can see its local Administrator password. This includes any Department Administrators (which are created and managed in the Department User Tools) in addition to any member of a groups for which the Standard Computer delegation or LAPS delegation has been set.
The Domain Administrators also have access to the password, but will not process requests from Departments to provide a password. Obtaining a password should be handled by the Department Administrators or other delegated staff.
- What is the difference between the Standard Computer Delegation and the LAPS Delegation?
The Standard Computer Delegation provides Full Control to all computer objects under the specified OU. This includes the ability to create new computer objects, delete any computer objects, and reset the account.
The LAPS Delegation only provides the necessary permissions to read the confidential attribute where the local Administrator password is stored.
- Is access to the password that is stored in Active Directory logged?
Yes, ITS-Systems and ISO staff are able to audit access to the password stored in Active Directory.
- Can I manage the password for multiple accounts on each computer?
No. LAPS can only be used to manage a single account on each computer. This could be the built-in Administrator account OR a single custom local account.
- Does LAPS set the local Administrator password to be the same password on each computer?
No. LAPS will generate a unique password for each computer.
- I get the following error in a computer's Application log:
Message: Could not write changed password to AD. Error 0x80070032
Event ID: 7
This error indicates that the computer does not have the necessary permission to write the password to its object in Active Directory. Please submit an AD Request to have permissions set on your Department OU.
- Where can I submit a request for my Department to use LAPS?
A Department OU owner should submit an AD Request with the following information: AD group that access to the password should be provided for and the OU to apply the delegation to (because of permission inheritance, this will affect all sub-OUs.)
- Where can I get more information or ask additional questions?
Contact the ITS Service Desk