TechIDManager’s LAPS – LAPS At MSP Scale

Let’s cut straight to the meat….TechIDManager can replace LAPS with a solution that works at MSP scale for all windows computers (including non-domain joined, domain joined, and Azure AD joined). LAPS from Microsoft is limits to Domains (and more recently AzureAD).  TechIDManager’s LAPS works on all windows machines; domain, non-domain, workgroup, and Azure AD joined.

TechIDManager’s agent, DomainService, that does unique technician account management, also does shared local admin password rotation and access management. We do this with the same ZERO-visibility storage that all TechIDManager credentials are stored with. Install the agent, and it will rotate the “Administrator” password everyday and allow you to choose set of techs that have access to that password.

“How do I set it up?” you ask….Here are the manual steps, there is a PowerShell script available too on the download page, AND we are always willing to help with a white glove install, just book installation assistance.

  1. Download the latest (PRE-RELEASE) DomainService. (version 3.156 or newer)
  2. Copy the zip file the computer to use TechIDManager’s LAPS
    1. In this example the machine name is Desktop-GTBAL2
  3. Extract the zip file to a folder
    1. We recommend “c:\Program Files\Ruffian Software\DomainService”
  4. Run this command line from an administrator command lines on Desktop-GTBAL2 (keep reading below for details on why the command line looks like this).
    cd "c:\Program Files\Ruffian Software\DomainService"
    DomainService.exe installLAPS
    DomainService.exe shareduser Administrator local clientguid xxx
    DomainService.exe start
  5. In the Management Console make sure there is a Triplet that grants the desired techs the “ReadSharedUser” right of type “SharedLocalMachine” for the agent for TechIDManager’s LAPS which will be named “Desktop-GTBAL2\Administrator” in our example. Detailed instructions here.
  6. Repeat these steps for any machines you want.


“Why does this work?” you ask….alright, now that you know the basics of the installation, let’s talk about why and how this works and what other options you have on the install for DomainService.

Lets start with these command lines to setup everything.

DomainService.exe installLAMS 
DomainService.exe shareduser Administrator local clientguid xxx
DomainService.exe start

DomainService.exe – The executable to run

installLAMS – this argument tells the DomainService to install itself as a service, set all the recovery options for the service, and ONLY run the LAMS part of what DomainService can do. If you are using LAMS to control a local account on a machine AND create unique accounts then you should use the command line “install” (and not “installLAMS”).

shareduser Administrator – this argument tells the DomainService to control the account named “Administrator”, and all the rest of the command line options on this command line apply to that instance of DomainService. If you have renamed the built-in Administrator account to something else, such as MSPAdmin, then you replace “Administrator” with the correct name. i.e. shareduser MSPAdmin

local – this part of the command line tells DomainService this is a local account (vs a domain account), and since it comes after “shareduser” is applies to the “Administrator” account. 

clientguid xxx – this part of the command line tells DomainService the clientguid to use replace xxx with your TechIDManager ClientGuid. This can be set instance specific or for all instances of DomainService running on this machine.

start – this part of the command line tells the DomainService to start the RuffianDomainService. This is the same as “net start RuffianDomainService”. 

There are many other options that can be set for each instance of DomainService. 

To set the FriendlyName or RMMName use these command lines

DomainService.exe shareduser Administrator friendlyname "Jenny's dev machine"
DomainService.exe shareduser Administrator rmmname "867-5309"

With this above command lines, note how we first tell DomainService the command line options apply to the shareduser Administrator instance and then we use the normal syntax for the FriendlyName or RMMName. Any option that can be set can be set instance specific.