This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAPS and Safeguard Disk Encryption

I am looking to setup LAPS (Local Administrator Password Solution) to centrally manage Local Administrator Passwords, and have around 2000 machines that have been encrypted using Safeguard Disk Encryption 7.x.

 

I have a couple of questions that I'm hoping someone can assist with.

 

I understand that when others have changed the local administrator password using scripts, Safeguard doesn't recognise the change, has anyone had experience with LAPS, and do the passwords get syncronised?

 

If they do not, has anyone come up with a procedure to syncronise the local admin password with the enterprise solution centrally, without requiring the administrator account to be logged in?

 

I have been looking for any forum, or webpage and have found nothing on this, has anyone else had more success, could you point me in the right direction. 



This thread was automatically locked due to age.
Parents
  • LAPS password rotations occur between the workstation and AD, so SafeGuard will not have any knowledge or ability to intercept the password change since it occurs outside of the workstation's SafeGuard client.  This is a simiar process to what you have already discovered when others have used scripts to rotate the password.

    This will cause user certificate mismatches between the workstation and the certificate in the SafeGuard database for those accounts.  We use LAPS and its great for what it is, but we don't have to account for local users that are utilizing the accounts as we have domain accounts that our users login with.  The only times we utilize the LAPS managed accounts are for when workstations lose domain trust and need to be logged in locally to get added back to the domain, things like that.

    I don't know of any way within SafeGuard to manage the use case you are describing, and based on how the user certificates are generated and updated on user password rotation, I don't believe it would be possible.

  • This is as I suspected, and hoped it would not have been the case.  Thankyou for the time you spent in replying.

     

    I'm not sure if they will incorporate something in the next version.

     

    We were mainly looking to manage the local admin passwords, for increased security, which we use to build the machines,  for when the Users accounts get deleted when users leave.

     

    I'll have a play to work out if there is a process that we could use to enable the machine for another user post deletion,

    I'm assuming that deletion of owner and user accounts will allow machine to us the POA login again! meaning it doesn't matter if the admin password changes.. I'm just going to spend some time in looking into this - whatever happens I'll come back with my findings.

     

Reply
  • This is as I suspected, and hoped it would not have been the case.  Thankyou for the time you spent in replying.

     

    I'm not sure if they will incorporate something in the next version.

     

    We were mainly looking to manage the local admin passwords, for increased security, which we use to build the machines,  for when the Users accounts get deleted when users leave.

     

    I'll have a play to work out if there is a process that we could use to enable the machine for another user post deletion,

    I'm assuming that deletion of owner and user accounts will allow machine to us the POA login again! meaning it doesn't matter if the admin password changes.. I'm just going to spend some time in looking into this - whatever happens I'll come back with my findings.

     

Children
  • If the local admin account's don't have users logging into them regularly, you might explore adding those accounts as Service Accounts which are exempt from POA.

    Do to our current configuration of bypassing POA (which is not recommended), this isn't a requirement so I don't have much experience with the usage of Service Accounts.