Remote UAC, LAPS,
Hi,
So I've been testing out PDQ Deploy in our Windows AD environment where we use a domain to deploy apps remotely to windows machines (7 & 10) on AD. Whenever we try to use a local admin account on remote machine on AD it gives an access denied error. The solution is to disable Remote UAC via the LocalAccountTokenFilterPolicy registry key on remote machines (https://support.adminarsenal.com/hc/en-us/articles/220533007). This would have to be the case with machines that are not on AD.
We're in the process of getting a license for PDQ and setup PDQ on it's on Windows 2012 server, however the sys admins and network security team are concerned. The sys admins prefer NOT to use a domain account but instead a managed service account with no admin rights to remote machines. In addition, they would want LAPS to be used in addition, which makes sense.
I believe LAPS can only be used on local accounts and not on a domain account. So if we were to use LAPS on a local admin account for deploying app via PDQ Deploy, wouldn't it require Remote UAC to be disabled on all remote machines? This ofcourse is where network security gets concerned. Any guidance is really appreciated, thanks!
Comments
Hi Curtis. In our testing, using LAPS does require disabling Remote UAC. If you are using LAPS as your single local administrative solution (recommended), this doesn't provide an increased security risk since each LAPS account password is unique to each machine. Also, remote UAC doesn't apply to higher privileged domain accounts. Disabling Remote UAC in no way impacts the GUI UAC present on the local machine.
Here is my recommended setup, not using any domain accounts:
Here is some additional information on LAPS and PDQ:
LAPS Integration with PDQ Inventory and PDQ Deploy
Configuring LAPS and PDQ (webcast)