So we are considering using LAPS; as I understand this makes sure every workstation has its own local admin password, making it more difficult for hackers to horizontally move to other workstations in search of domain admin accounts.
Besides local admin, we have helpdesk / system administrator domain accounts, which are added to the local admin group through gpo. This security group is solely used for workstation admin access and cannot logon to servers or AD. The way I see it, these accounts pose the same threat that LAPS tries to solve. If one of the helpdesk accounts gets compromised, all workstations are compromised. Ok, unlike local admin accounts, a domain user password is easily reset, but this assumes we are aware of a password hack.
Should I disable the security group, and have administrators and helpdesk staff use the local admin password set by LAPS?
(they probably won't like that but let's assume they don't care)
Besides local admin, we have helpdesk / system administrator domain accounts, which are added to the local admin group through gpo. This security group is solely used for workstation admin access and cannot logon to servers or AD. The way I see it, these accounts pose the same threat that LAPS tries to solve. If one of the helpdesk accounts gets compromised, all workstations are compromised. Ok, unlike local admin accounts, a domain user password is easily reset, but this assumes we are aware of a password hack.
Should I disable the security group, and have administrators and helpdesk staff use the local admin password set by LAPS?
(they probably won't like that but let's assume they don't care)