Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 8 subscribers
  • Views 11044 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LAPS and Safeguard Disk Encryption

Neil Petty

I am looking to setup LAPS (Local Administrator Password Solution) to centrally manage Local Administrator Passwords, and have around 2000 machines that have been encrypted using Safeguard Disk Encryption 7.x.

 

I have a couple of questions that I'm hoping someone can assist with.

 

I understand that when others have changed the local administrator password using scripts, Safeguard doesn't recognise the change, has anyone had experience with LAPS, and do the passwords get syncronised?

 

If they do not, has anyone come up with a procedure to syncronise the local admin password with the enterprise solution centrally, without requiring the administrator account to be logged in?

 

I have been looking for any forum, or webpage and have found nothing on this, has anyone else had more success, could you point me in the right direction. 



This thread was automatically locked due to age.
  • 0

    Hi Neil,

    I have no knowledge of LAPS but I can explain the procedure that Safeguard uses to process password changes.

    If a user wants to change their password, the correct way of doing this is:

    • POA | Options | Check 'Change password at next logon' 
    • Ctr+Alt+Del | Change A Password.

    This action is then captured by the credential provider on the local SafeGuard protected machine.

     

    This is explained in more detail here, http://sophos.com/kb/117256.

    I hope this helps.

    Bill.

  • +1

    LAPS password rotations occur between the workstation and AD, so SafeGuard will not have any knowledge or ability to intercept the password change since it occurs outside of the workstation's SafeGuard client.  This is a simiar process to what you have already discovered when others have used scripts to rotate the password.

    This will cause user certificate mismatches between the workstation and the certificate in the SafeGuard database for those accounts.  We use LAPS and its great for what it is, but we don't have to account for local users that are utilizing the accounts as we have domain accounts that our users login with.  The only times we utilize the LAPS managed accounts are for when workstations lose domain trust and need to be logged in locally to get added back to the domain, things like that.

    I don't know of any way within SafeGuard to manage the use case you are describing, and based on how the user certificates are generated and updated on user password rotation, I don't believe it would be possible.

  • 0 in reply to BillKearney

    Thankyou for the info, I have seen this before, appreciate the time you spent in replying..

  • 0 in reply to ISRyanB

    This is as I suspected, and hoped it would not have been the case.  Thankyou for the time you spent in replying.

     

    I'm not sure if they will incorporate something in the next version.

     

    We were mainly looking to manage the local admin passwords, for increased security, which we use to build the machines,  for when the Users accounts get deleted when users leave.

     

    I'll have a play to work out if there is a process that we could use to enable the machine for another user post deletion,

    I'm assuming that deletion of owner and user accounts will allow machine to us the POA login again! meaning it doesn't matter if the admin password changes.. I'm just going to spend some time in looking into this - whatever happens I'll come back with my findings.

     

  • 0 in reply to Neil Petty

    If the local admin account's don't have users logging into them regularly, you might explore adding those accounts as Service Accounts which are exempt from POA.

    Do to our current configuration of bypassing POA (which is not recommended), this isn't a requirement so I don't have much experience with the usage of Service Accounts. 

Unfiltered HTML