Security News > 2022 > August > Protect domain-joined computer passwords with Windows’ Local Administrator Password Solution

That's because changing the passwords has to be done manually and individually, plus you have to find a way to keep everyone up to date on the unique latest strong password for each server without saving those passwords somewhere an attacker can also find them, like a PASSWORDS.XLS spreadsheet.

The Local Administrator Password Solution is a tool Microsoft has offered since 2015 that deals with exactly that problem.

It generates unique, strong passwords for the local admin account on every computer in your domain using your policy for password complexity, stores them in your Active Directory and automatically replaces them with new passwords, again using your password age policy.

Originally, Microsoft decided not to encrypt the admin passwords LAPS stores in AD because of the complexity for admins in managing the encryption scheme and because of the assumption that AD is usually secured well enough to protect the passwords.

With the extra protection of encryption, you can now use LAPS to handle other kinds of account passwords as well as local admin - in particular, the Directory Services Restore Mode administrator password that lets you boot a domain controller into a special mode where you can repair or restore Active Directory.

Now you can use Configure Size Of Encrypted Password History to match the number of older passwords you keep to your backup policy: If you keep six months or a year's worth of backups for computers, you can make sure you store that many passwords as well.

News URL

https://www.techrepublic.com/article/protect-passwords-local-administrator-solution/