LAPS for computers
Secure local and domain admin emergency computer accounts
Overview
When idemeum desktop agent is installed and Cloud LAPS is enabled, agent generates local admin or domain admin (on domain controllers) account, sets random password, encrypts credentials locally with master key and uploads to idemeum zero-knowledge vault. Moreover, account passwords are secured with daily password rotation. Technicians who are entitled to view these credentials can always retrieve them from idemeum portal.
Configure LAPS for computers
- Access customer tenant where you would like to enable LAPS for computers
- Access
Settings
→PAM
- You can now configure LAPS for local and domain computer accounts:
Local admin accounts
- if you enable this option, idemeum will automatically secure and rotate passwords for local admin accounts on each domain-joined and local workstation. By default the account to be used isAdministrator
, however you can specify any account you like. If the account exists, idemeum will take over and will start rotating passwords. If account does not exist, idemeum will create the specified account.Domain admin accounts
- when enabled, and when idemeum is installed on domain controller, idemeum will start rotating the domain admin account password. By default the account to be used isAdministrator
, however you can specify any account you like. If the account exists, idemeum will take over and will start rotating passwords. If account does not exist, idemeum will create the specified account.
- Once enabled and accounts are specified,
Save
the configuration
View LAPS computer accounts
💡
Cloud LAPS is protected with group-based access control. So in order to view these credentials, you have to have access. By default all tenant admins are entitled to view LAPS credentials, however you can change that in the PAM settings.
- Navigate to customer tenant and access user portal
- Find the device you want to view LAPS credentials for and click on
...
- Choose
View LAPS credentials