AcloudA

Deploying the Local Administrator Password Solution (LAPS)

Posted by Nicolas Prigent on June 26, 2017
No ratings yet.

Local Administrator Password Solution - Logo

Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.

LAPS allows you to manage local administrator account passwords on domain-joined computers so that passwords are unique on each managed computer, randomly generated, and centrally stored in Active Directory infrastructure.

At the beginning, LAPS was called “AdmPwd”. It became Local Administrator Password Solution (LAPS) and Microsoft made it part of its product portfolio. But LAPS is still free! So it means that you can get technical support when using LAPS, by opening a Microsoft ticket.

LAPS comes with a “FAT” client for SysAdmins and there are PowerShell commands available to manage this service, which is nice! 

Prerequisites

Before installing LAPS, there are some prerequisites:

  • You must have an Active Directory Domain (ADDS)
  • Domain controllers version must be at least Windows Server 2003 SP1 or higher (Of course, it works with the latest Windows Server 2016)
  • Management tools rely on .NET Framework 4
  • And managed machines must be at least Windows Server 2003 SP2 or later

This solution uses confidential attributes and does not depend on a domain functional level.

How does it work?

One of the cool features is that LAPS can manage a local administrator account which is not named “administrator”. The core of the LAPS solution is a GPO client-side extension (CSE), that you install on managed computers to perform all management tasks. So it means when the machine will perform a GPUpdate, the following actions will be done:

  • Check if the password of the local Administrator account has expired (not only “Administrator” but whatever you want “Nicolas”, “Admin”, “ADM”, …)
  • Generates a new password (if required) with the password policy
  • Store the new password into Active Directory. Passwords are protected in transit from the client to the server using Kerberos v5 and AES
  • And finally, changes the password

Let’s take a look at the installation.

Installation

First, you must download LAPS from the Microsoft website: https://www.microsoft.com/en-us/download/details.aspx?id=46899

There are two parts to the installation, the management computers and the clients you want to manage. Double click on the MSI installer:

Local Administrator Password Solution Setup

Local Administrator Password Solution Setup - Microsoft Software License Terms

At this step, you must check or uncheck “AdmPwd GPO Extension” depending on if you are installing LAPS on a managed computer or a management computer. Here, I want to install LAPS on a management computer:

Local Administrator Password Solution - Setup - Custom Setup

Modifying the Schema

One of the limitations of LAPS is the need to update the Active Directory schema. Some organizations can perform this task easily, but for the others, it can be complicated to do this change.

The Active Directory Schema needs to be extended by two new attributes that store the password of the managed local Administrator account for each computer and the timestamp of password expiration.

  • ms-Mcs-AdmPwd – Stores the password in clear text
  • ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password

To update the schema, you first need to import the PowerShell module. This task needs to be performed by the user in Schema Admin role. Use the following commands:

That’s all. The schema has been updated!

Delegation of permissions on computer accounts

By default, Domain Admins and Enterprise Admins will have access to view the stored passwords. We need to give the computers the ability to update the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes in Active Directory. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password. 

You can do this using PowerShell:

You will need to run this command for each OU that will have managed computers.

Configuring the GPO

The settings are located under Computer Configuration\Administrative Templates\LAPS. In case that organization uses centralized policy store, an administrator is required to copy the ADMX templates into central policy store in SYSVOL.

Group Policy Management Editor - LAPS

You can configure some settings by GPO:

  • Enable local admin password management: This setting must be enabled!
  • Password settings: By default, LAPS uses a password with 14 characters and changes the password every 30 days. You can change the values to suit your needs.
  • Name of Administrator account to manage: If you have a custom local Administrator account (which is a best practice), you can specify the name.

Installing the Client Side Extensions (CSE)

In a large environment, I advise you to use SCCM to install LAPS on all your machines. You can easily perform this task by deploying the MSI with SCCM. Open the SCCM console, and navigate to:

  • Software Library
  • Application Management
  • Applications

Now, create a new MSI application:

Local Administrator Password Solution Properties - Deployment Types

Edit the deployment and specify the command to install LAPS and then the command to uninstall it. You can use this command line to do a silent install:

Local Administrator Password Solution - Windows Installer Properties - Programs

Now add the detection method based on the MSI product code:

Local Administrator Password Solution - Windows Installer Properties - Detection Method

Install LAPS whether a user is logged on or not

Local Administrator Password Solution - Windows Installer Properties - User Experience

Refresh the SCCM client policy on the machine and check the installation process:

Software Center - Installed Software - Local Administration Password Solution

Now, LAPS will appear in the “Programs and Features” section:

Programs and Features - Local Administrator Password Solution

Managing Password

Many ways exist to view the password for a computer. You can manage the password with the FAT Client, Windows PowerShell, from the Active Directory or with SCCM.

FAT client

The “Fat” client which is also called “LAPS UI” will be installed on your management station during the installation process.

LAPS UI - Desktop app - Logo

Fat client is installed into folder %ProgramFiles%\LAPS

LAPS UI AdmPwd file root

When you run the LAPS UI Client, you must type the computer name and press “search”. LAPS UI will display the password and the expiration time.

 LAPS UI Client

PowerShell

The management tools also include a PowerShell module that you can use for viewing passwords. It is really easy, so just use the following command:

PowerShell module called “AdmPwd.PS” provides the same functionality as a fat client. PowerShell module is installed into “C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS”

Active Directory Users and Computers

First, open the Active Directory MMC and enable the “Advanced Features” mode:

Active Directory MMC - Advanced Features mode

Now, double-click the computer object and go to the “Attribute Editor” tab:

Active Directory MMC - Attribute Editor

LAPS SCCM extension

With this extension for SCCM, you can easily access the LAPS password for all of your domain computers from within the SCCM console; a button will be added to the ribbon and the right-click menu when a computer object is selected.

Download the LAPS SCCM Extension from Technet Gallery: https://gallery.technet.microsoft.com/LAPS-Extension-for-SCCM-e8bd35b1 and run the executable:

LAPS SCCM Extension - License

Accept the license

LAPS SCCM Extension - Installing

Wait a few seconds…

LAPS SCCM Extension - Installing progress

Once the installation is completed, open the SCCM console, select a managed computer and check the new button in the ribbon:

SCCM console - LAPS Password - IIS1

Conclusion

LAPS is really a nice tool, very simple to deploy and manage. LAPS is not perfect but it is a “nice to have” and it can really increase your Active Directory security.

Please note that computer accounts might be the subject of accidental deletion. In such case, (especially when AD Recycle Bin feature is not implemented) password of managed local Administrator account would be lost and there would not be an easy way for support staff to retrieve it.

Before deploying Local Administrator Password Solution in production, I highly recommend to deploy it in your test environment.

Below are some useful links about LAPS or other similar solutions:

Thanks for reading!

 

Related materials:

Views All Time
16
Views Today
39
Return to all posts

A few details about Veeam CDP in Veeam Availability Suite v10
Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 3

Please rate this

The following two tabs change content below.

Leave a Reply

You must be logged in to post a comment.