MS LAPS
GOAL: Avoid using identical passwords for local accounts to prevent lateral attacker movement
Could avoid local accounts entirely, but:
◦If no cached admin, no way to log on if not on domain network
◦Cannot repair if computer trust account broken
Typical solution is to use a single administrator password on all workstations and all servers
Solution:
◦LAPS – Local Administrator Password Solution
◦Recommended by CIS baseline
◦Defense in Depth!
https://www.microsoft.com/en-us/download/details.aspx?id=46899