How granular is the control to give read access? Can you limit per computer and specific individuals? or only per AD OU security groups? Is it scaling well enough and still maintainable that you could setup individuals access to their own workstation only, ,but also have departmental and site IT power users that could read the admin password on a group, department, OU or site level?
It basically depends upon how you build out your AD and group structure. By default it wont be that granular as you have to define and basically assign permissions to groups against OUs. So if you are looking for flexibility you may be better off looking for a third-party solution.
Hello, this was performed on a Active Directory Domain Controller, this was because LAPS needs to integrate into Active Directory so that user accounts can access the information from a centrally controlled location. Hope this helps.
FYI, LAPS doesn't need to be run on a DC. In fact the whole point of LAPS is that it runs isolated on member servers or computers and reports back to AD.
@@esit2082 No, the config must be done in 2 parts... - One in the server, where you have installed ADU&C GUI, you must install: the LAPS Sw downloaded, then install ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExirationTime modules. Edit GPO´s, activate the Advanced view in the ADU&C GUI, then goto Attribute Editor and search ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExirationTime... (for eache client computer in the AD???)(if you have 2000 workstation wold be something more automated...) -And the second part "the client side config.": goto each client computer and install the LAPS Sw, but you can only install: GPO Extension, Fat client and PSmodules (Mgmt tools and GPO templates couldn´t be necessary for clients). This is a summary of the video info... ;b
Hello, Microsoft laps is a free download and can be used on any machine. The only licensing you need is a valid active directory license for your server.
Do you need to manually set for each workstation?
Yes, you would have to manually set this on each device.
How granular is the control to give read access? Can you limit per computer and specific individuals? or only per AD OU security groups? Is it scaling well enough and still maintainable that you could setup individuals access to their own workstation only, ,but also have departmental and site IT power users that could read the admin password on a group, department, OU or site level?
It basically depends upon how you build out your AD and group structure. By default it wont be that granular as you have to define and basically assign permissions to groups against OUs. So if you are looking for flexibility you may be better off looking for a third-party solution.
What is the host computer you were running this on? Is it the AD computer, client computer, administrator computer? Wasn't clear in the video.
Hello, this was performed on a Active Directory Domain Controller, this was because LAPS needs to integrate into Active Directory so that user accounts can access the information from a centrally controlled location. Hope this helps.
FYI, LAPS doesn't need to be run on a DC. In fact the whole point of LAPS is that it runs isolated on member servers or computers and reports back to AD.
@@esit2082 No, the config must be done in 2 parts... - One in the server, where you have installed ADU&C GUI, you must install: the LAPS Sw downloaded, then install ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExirationTime modules. Edit GPO´s, activate the Advanced view in the ADU&C GUI, then goto Attribute Editor and search ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExirationTime... (for eache client computer in the AD???)(if you have 2000 workstation wold be something more automated...)
-And the second part "the client side config.": goto each client computer and install the LAPS Sw, but you can only install: GPO Extension, Fat client and PSmodules (Mgmt tools and GPO templates couldn´t be necessary for clients).
This is a summary of the video info... ;b
What’s the licensing on it? How is it licensed?
Hello, Microsoft laps is a free download and can be used on any machine. The only licensing you need is a valid active directory license for your server.