Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to define a different local account than the default administrator account #183

Open
kheldorn opened this issue Oct 19, 2022 · 4 comments
Open

Add ability to define a different local account than the default administrator account #183

kheldorn opened this issue Oct 19, 2022 · 4 comments
Assignees
@ryannewington
Labels
enhancement New feature or request pinned

Comments

@kheldorn
Copy link

I'm pretty sure this must have come up before, in fact I found #150 but the response there was just that there is no support for changing the local managed account from the default administrator account.

But are there any plans on changing this?

We are in the process of upgrading our infrastructure. Been using LAPS on the clients for years and we'd REALLY like to continue using a different local account and keep the default administrator account disabled. Currently the inability to use a different account is a blocker in implementing LAM for us.
@kheldorn kheldorn added the enhancement New feature or request label Oct 19, 2022
@kheldorn kheldorn changed the title Add ability to define a different local account that the default administrator account Add ability to define a different local account than the default administrator account Oct 20, 2022
@ryannewington ryannewington self-assigned this Oct 26, 2022
@ryannewington
Copy link
Member

@kheldorn Thanks for reaching out.

Yep, you are correct in that we don't offer the ability to manage a different account.

You can keep using the MS LAPS agent to manage the password on the non-built-in-admin account and AMS will be able to read that password just fine.

Alternatively, is renaming the built-in admin account an option? Our agent doesn't care what the account is actually called - it's just going to try manage the account with the well-known administrators SID.

@kheldorn
Copy link
Author

Hmm, will have to look into running MS LAPS and AMS in parallel.

Renaming the built-in admin account is not really an option. That is way too messy and error prone.

Currently looking at the new Windows LAPS they showcased earlier this week. That at least seems to incorporate a lot of features the old MS LAPS is missing, though not on the level of AMS.

@ryannewington
Copy link
Member

AMS v2 can also read passwords generated by new LAPS. Downside is that its currently win11 only - but there is talk about down level OS porting.

I can commit to adding this to our backlog (we do actually support configuring the username for our linux and mac LAPS agents - it's just a bit more complicated for windows). However, we have quite a few features in the queue for our enterprise customers, so it will come some time after we've finished that. It's a bit tricky to give a timeframe.

@kheldorn
Copy link
Author

Well, that would be great. It will be some time before I can seriously consider replacing old LAPS anyway.

If you put the ability to define an alternative username into your backlog my mission here is done. ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ryannewington ryannewington

Labels
enhancement New feature or request pinned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kheldorn @ryannewington