Last December I was presenting at Moscow IT Pro UG about Microsoft LAPS. Finally, the record of the presentation is processed and available at YouTube:
Do not forget to enable English subtitles (they are NOT auto-translated :D)
You may find PPTX-file here.
After the presentation, I was asked a couple of questions:
Q: Does the GUI tool send the password in plain text over the network?
A: No, LDAP connection is encrypted with SASL. But if you are going to access the password attribute in your own scripts/tools, you may accidentally expose the password if you set LDAP_OPT_ENCRYPT = 0 or will use ldap_simple_bind w/o TLS/SSL.
Q: Why do we even need those local accounts? Why not to disable them completely?
A: In case a machine has lost its connection to AD (due to network configuration change, for example), you may want to bring it back on line w/o disruptive actions such as reboot, offline password reset etc. In case if you hope that the machine keeps your offline password hash, you may find yourself in a stressful situation, when you find out that it, in fact, does not.