lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
243 stars 20 forks source link

Add ability to define a different local account than the default administrator account #183

Open kheldorn opened 2 years ago

kheldorn commented 2 years ago

I'm pretty sure this must have come up before, in fact I found https://github.com/lithnet/access-manager/issues/150 but the response there was just that there is no support for changing the local managed account from the default administrator account.

But are there any plans on changing this?

We are in the process of upgrading our infrastructure. Been using LAPS on the clients for years and we'd REALLY like to continue using a different local account and keep the default administrator account disabled. Currently the inability to use a different account is a blocker in implementing LAM for us.

ryannewington commented 2 years ago

@kheldorn Thanks for reaching out.

Yep, you are correct in that we don't offer the ability to manage a different account.

You can keep using the MS LAPS agent to manage the password on the non-built-in-admin account and AMS will be able to read that password just fine.

Alternatively, is renaming the built-in admin account an option? Our agent doesn't care what the account is actually called - it's just going to try manage the account with the well-known administrators SID.

kheldorn commented 2 years ago

Hmm, will have to look into running MS LAPS and AMS in parallel.

Renaming the built-in admin account is not really an option. That is way too messy and error prone.

Currently looking at the new Windows LAPS they showcased earlier this week. That at least seems to incorporate a lot of features the old MS LAPS is missing, though not on the level of AMS.

ryannewington commented 2 years ago

AMS v2 can also read passwords generated by new LAPS. Downside is that its currently win11 only - but there is talk about down level OS porting.

I can commit to adding this to our backlog (we do actually support configuring the username for our linux and mac LAPS agents - it's just a bit more complicated for windows). However, we have quite a few features in the queue for our enterprise customers, so it will come some time after we've finished that. It's a bit tricky to give a timeframe.

kheldorn commented 2 years ago

Well, that would be great. It will be some time before I can seriously consider replacing old LAPS anyway.

If you put the ability to define an alternative username into your backlog my mission here is done. ;)