{"id":127,"date":"2021-12-06T17:12:02","date_gmt":"2021-12-06T17:12:02","guid":{"rendered":"https:\/\/12stick.de\/?page_id=127"},"modified":"2026-05-05T09:19:44","modified_gmt":"2026-05-05T09:19:44","slug":"what-about-using-laps","status":"publish","type":"page","link":"https:\/\/www.12beAdmin.com\/?page_id=127","title":{"rendered":"What about using LAPS?"},"content":{"rendered":"\n<p><strong>You should have both!<\/strong>\u00a0If you are running\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899\" target=\"_blank\" rel=\"noreferrer noopener\">LAPS (Local Admin Password Solution)<\/a>\u00a0from Microsoft, you already have a individual password for one local administrative Account on each machine. This can be the origin Administrator with the RID 500 or a custom one. This Account\u00a0<strong>can not<\/strong>\u00a0be managed centrally by AD. Account Expiration, Enable\/Disable Account on demand, Change Password etc is handled by the local machine (SAM), which is possibly firewalled or not reachable by RPC.<\/p>\n\n\n\n<p><strong>Advantage:<\/strong>&nbsp;The local account can be used offline without connection to the AD. There are many usecases for using the local adminaccount.<\/p>\n\n\n\n<p><strong>Disadvantage:<\/strong>\u00a0The local account can not be controlled from AD. Sometimes you need access to your network to install software or get content or read\/write ressources from your network in general. The AD user can be handled like any other user. You can assign NTFS permissions, integrate it into existing groups etc. LAPS prior to Windows 11 24H2 can not use Passphrases. What makes it very inconvinient to use.<\/p>\n\n\n\n<p><strong>Benefit of AD Users and Groups:<\/strong>&nbsp;You can use the&nbsp;<em>computername-admins<\/em>&nbsp;group to permanently gain administrative rights on an indivudual machine. Aswell, you can create personal user accounts for your Administrators and handle them like the&nbsp;<em>computername-admin<\/em>. Enable it on demand, add an expiration, probably keep the password<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You should have both!\u00a0If you are running\u00a0LAPS (Local Admin Password Solution)\u00a0from Microsoft, you already have a individual password for one local administrative Account on each machine. This can be the origin Administrator with the RID 500 or a custom one. This Account\u00a0can not\u00a0be managed centrally by AD. Account Expiration, Enable\/Disable Account on demand, Change Password &#8230; <a title=\"What about using LAPS?\" class=\"read-more\" href=\"https:\/\/www.12beAdmin.com\/?page_id=127\" aria-label=\"Mehr Informationen \u00fcber What about using LAPS?\">Weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-127","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=127"}],"version-history":[{"count":7,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/127\/revisions"}],"predecessor-version":[{"id":284,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/127\/revisions\/284"}],"wp:attachment":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}