Q&A Remote managing endpoints with local admin credentials

Knuppel

New Member
Jan 25, 2021
4
So to prevent lateral movement I'm configuring serverless LAPS. Local admin passwords are reset every month, and our global local admin account is removed.
Now I want to remote manage a device. Tried with local credentials but no dice. I can open file explorer with these credentials. Opening services through mmc won't even let me choose credentials.

How do you guys remote manage endpoints whilst not using a global admin account?
 
  • Like
Reactions: Stopspying

simalinga

Level 2
Feb 28, 2021
78
So to prevent lateral movement I'm configuring serverless LAPS. Local admin passwords are reset every month, and our global local admin account is removed.
Now I want to remote manage a device. Tried with local credentials but no dice. I can open file explorer with these credentials. Opening services through mmc won't even let me choose credentials.

How do you guys remote manage endpoints whilst not using a global admin account?
The devil is in the details, of which you have left out many.

But, in a nutshell, you have to configure the local admin password on the remote machine every single time the password changes on the local machine. If you do not use the same machine every single time to manage the remote one, then before you can access that remote machine you will need direct access to update the credentials.

This is such a problem that companies offer solutions:


You can check out:


It is an old TechNet article, and I'm certain that parts of it are obsolete. However, you might find tidbits of useful infos.
 
Last edited:
  • Like
Reactions: Stopspying

Knuppel

New Member
Jan 25, 2021
4
The devil is in the details, of which you have left out many.

But, in a nutshell, you have to configure the local admin password on the remote machine every single time the password changes on the local machine. If you do not use the same machine every single time to manage the remote one, then before you can access that remote machine you will need direct access to update the credentials.
Ok just for reference, so we are talking about the same thing here.
The local admin password on the remote machine changes by itself every month, and I can look up this password in Azure Key Vault. I then want to use this password to connect to the remote machine, say through mmc.exe. Thanks for the Microsoft link, the group policies weren't implemented yet.
 
  • Like
Reactions: Stopspying

simalinga

Level 2
Feb 28, 2021
78
I then want to use this password to connect to the remote machine, say through mmc.exe.
That might not be supported. I would reach out to Microsoft support, because you will not find an answer in Microsoft documentation. Good luck with that though. The lead time on resolving issues or getting questions answered is weeks. You're better off asking on a bunch of Windows admin forums.
 
Top