Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Remote UAC, LAPS,

So I've been testing out PDQ Deploy in our Windows AD environment where we use a domain to deploy apps remotely to windows machines (7 & 10) on AD. Whenever we try to use a local admin account on remote machine on AD it gives an access denied error. The solution is to disable Remote UAC via the LocalAccountTokenFilterPolicy registry key on remote machines ( This would have to be the case with machines that are not on AD.

We're in the process of getting a license for PDQ and setup PDQ on it's on Windows 2012 server, however the sys admins and network security team are concerned. The sys admins prefer NOT to use a domain account but instead a managed service account with no admin rights to remote machines. In addition, they would want LAPS to be used in addition, which makes sense.

I believe LAPS can only be used on local accounts and not on a domain account. So if we were to use LAPS on a local admin account for deploying app via PDQ Deploy, wouldn't it require Remote UAC to be disabled on all remote machines? This ofcourse is where network security gets concerned. Any guidance is really appreciated, thanks!



1 comment
Date Votes
  • Hi Curtis. In our testing, using LAPS does require disabling Remote UAC. If you are using LAPS as your single local administrative solution (recommended), this doesn't provide an increased security risk since each LAPS account password is unique to each machine. Also, remote UAC doesn't apply to higher privileged domain accounts. Disabling Remote UAC in no way impacts the GUI UAC present on the local machine.

    Here is my recommended setup, not using any domain accounts:

    1. Background Service user for PDQ is a local account unique to the PDQ console machine (for exmaple, .\PDQUser). This user should have a difficult password and be kept safe. This user is not present on any other machine in the organization. The user runs the Background Service for both Deploy and Inventory.
    2. Credentials in PDQ Inventory are LAPS. This works on single domains, multiple domains, and discrete domains/forests. 
    3. Console Users: Admins allowed to use PDQ products. Add/remove as necessary.
    4. All deployments use the "Use PDQ Inventory Scan User credentials first, when available" either in the schedule or Deploy Once window.


    Here is some additional information on LAPS and PDQ:
    LAPS Integration with PDQ Inventory and PDQ Deploy
    Configuring LAPS and PDQ (webcast)