Remote UAC, LAPS,

Comments

1 comment

  • Brigg Angus

    Hi Curtis. In our testing, using LAPS does require disabling Remote UAC. If you are using LAPS as your single local administrative solution (recommended), this doesn't provide an increased security risk since each LAPS account password is unique to each machine. Also, remote UAC doesn't apply to higher privileged domain accounts. Disabling Remote UAC in no way impacts the GUI UAC present on the local machine.

    Here is my recommended setup, not using any domain accounts:

    1. Background Service user for PDQ is a local account unique to the PDQ console machine (for exmaple, .\PDQUser). This user should have a difficult password and be kept safe. This user is not present on any other machine in the organization. The user runs the Background Service for both Deploy and Inventory.
    2. Credentials in PDQ Inventory are LAPS. This works on single domains, multiple domains, and discrete domains/forests. 
    3. Console Users: Admins allowed to use PDQ products. Add/remove as necessary.
    4. All deployments use the "Use PDQ Inventory Scan User credentials first, when available" either in the schedule or Deploy Once window.

     

    Here is some additional information on LAPS and PDQ:
    LAPS Integration with PDQ Inventory and PDQ Deploy
    Configuring LAPS and PDQ (webcast)

    0
    Comment actions Permalink

Please sign in to leave a comment.