SCCM + MS LAPS

[boyjaew2]

I'm taking a run at Microsoft’s Local Administrator Password Solution (LAPS) https://www.microsoft.com/en-us/download/details.aspx?id=46899

 

I am wondering, if I implement LAPS isn't it's effectiveness going to be hindered by having the ccm network account located in the local admin group on all pcs? It has been a long time since I set up ccm. So, I have probably done something stupid here. I know the account has to be in the local admin group, but I also have it in the domain admins group. I'm guessing it is the second part that is the stupid bit. Correct?

It is a system account, but I should probably go ahead and pull it out of the domain admin group, right? Any guidance on setting permissions/access for that account? I'm assuming the way I have it is very dangerous.

 

Thanks

[boyjaew2]

Strating with this - http://www.windows-noob.com/forums/index.php?/topic/6274-how-to-set-proper-user-rights-permissions-for-sccm-2012s-service-accounts/

[Jorgen Nilsson]

Hi,

It would have been but the Network Access Account should NEVER be local administrator on any client, the password is really easy to read during an OS Deployment if you have F8 enabled for instance, it should be a normal domain user account which you can restrict in many ways. It is only used to access content on the DP for instance. it is never used to run anything on the clients.

So LAPS will work just fine with SCCM.

Regards,
Jörgen

[boyjaew2]

Weird. So, I'm looking at "Client Push Installation Properties/Accounts" This is the account I'm talking about. This one says it must be a member of the local admin group on the destination computer. I'm I getting my lines crossed here?

 

I'm using the same account for both Client push and Network Access Account. Probably bad?

 

I'm trying to think of a good way to delegate control. It seems like I probably need two accounts, which is probably mentioned in the tutorials, but it's been ages since I set it up. I'm thinking I need to have two acocounts (at least).