Sample Security Protocols for Domain and Local Accounts

  • Microsoft Local Administrator Password Solution (LAPS) is to be used to manage the local administrator passwords on all computers on the domain.
  • The LAPS UI desktop app is to be used to manage and read the local administrator passwords.
  • No accounts other than the LAPS-managed local administrator accounts and the DomainLocalAdmin domain account are to have local administrator privileges.
  • The DomainLocalAdmin domain account is only to be used to log into workstations as a fail-safe if LAPS does not have the correct local admin password recorded. The password for the DomainLocalAdmin account is to be changed every time it is used and the account is to be disabled when not in use.
  • Only Helpdesk employees and domain admins are to have read/write permissions for the local administrator passwords.
  • All local administrator account passwords are to be at least 14 characters long.
  • All local administrator account passwords are to expire and be changed every 30 days via LAPS.
  • All service account passwords are to be at least 20 characters long.
  • All domain admin account passwords are to be at least 20 characters long.
  • No regular user accounts are to be allowed on servers or management computers.
  • Domain Admin user accounts are to be used only on servers and management computers, and are not to be allowed to logon to workstations.
  • Standard user accounts are not to have local administrator, domain admin, or higher permissions.
  • other/sample_account_security_protocols.txt
  • Last modified: 2019/03/15 15:05
  • by ericclaus