1.Configure local administration password solution
Local Administrator accounts on workstations and servers are still a necessity in most enterprise environments today. These accounts are often needed for management purposes as an IT backdoor should the computer have network difficulties or issues contacting Active Directory. The problem with these accounts is that, most times, the passwords are set once at OS deployment time and they never change again. Even worse, the same password gets used over and over across hundreds or even thousands of computers. This opens up corporate networks to massive risk should an attacker get access to the local password database on one of these systems.
Managing administrator passwords with Group Policy Preferences ^
In the past, it was possible to use Group Policy Preferences to update local Administrator passwords for domain-joined computers. In the Group Policy Management Console (GPMC), right-click a Group Policy Object (GPO) and go to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. Right-click in the open area on the right and choose New > Local User.
On the New Local User Properties window, you can change the User Name field to Administrator (built-in), but you’ll quickly notice that the Password and Confirm Password fields are grayed out and can’t be used on any management station that is fully patched.
Password field grayed out in New Local User Properties
Introducing LAPS ^
The solution to this problem is the Microsoft Local Administrator Password Solution (LAPS for short) that was released on May 1, 2015. LAPS allows you to manage the local Administrator password (which is randomized, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorized users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
The LAPS UI app
LAPS requires the .NET Framework 4.0 and PowerShell 2.0 or higher. On server systems where LAPS will manage the local Administrator password, you must be running Windows Server 2003 SP1 or higher; on desktop systems, you must be running Windows Vista SP2 or higher. (Sorry, but there’s no support for Windows XP.) For all the desktop and server client systems, an MSI file that includes a Group Policy client side extension (CSE) must be installed for the local Administrator password to be managed.
Your Active Directory environment will need to be running at least Windows Server 2003 SP1 and will require a schema update to support LAPS to add the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes. These attributes are used for storing the local Administrator password and the password’s expiration time.
The biggest limitation of LAPS is the need to update the Active Directory schema. For some organizations, this isn’t an issue. But for other organizations, getting a schema change tested and approved through a change control process can be difficult.
LAPS is also only capable of managing the local Administrator account on domain-joined machines or a custom local Administrator account if you create your own local Administrator account. (Note: it can also manage the password of the local Administrator account if you’ve chosen to rename the account.) If the machine isn’t domain-joined, you won’t be able to use LAPS. LAPS also can’t manage other local service accounts for things such as SQL or scheduled tasks.
1.1.Set up Microsoft LAPS
To set up the Microsoft Local Administrator Password Solution (LAPS) in Active Directory, you’ll first need to download LAPS from the Microsoft Download Center. You’ll want to download both the LAPS.x86.msi (for 32-bit systems) and LAPS.x64.msi (for 64-bit systems).
On my domain controller, I’m going to run the 64-bit installer, LAPS.x64.msi. After clicking Next for the first two screens and accepting the license agreement, you’ll need to ensure that the Management Tools (but not the AdmPwd GPO Extension) are set to install on the server.
Local Administrator Password Solution custom setup options for server
After a few more Next clicks, the LAPS management tools are installed on the server. If you go to the Start screen, you should see the new LAPS UI, which I’ll cover a little later.
LAPS UI on Start screen
Next, we’ll need to open a PowerShell window with Admin rights. At the PowerShell prompt, load the LAPS module and then run the Update-AdmPwdADSchema cmdlet:
When you’re done running the commands, you should get three “Success” messages:
Extending the Active Directory Schema to support LAPS
Update user/group AD permissions ^
After updating the Active Directory schema, we need to check permissions in AD to ensure that only authorized users and groups can view the passwords that are stored there. By default, Domain Admins and Enterprise Admins will have access to view the stored passwords, along with any other groups or users you’ve delegated. First, open a PowerShell window and ensure that the AdmPwd.PS module is loaded. We can then use the Find-AdmPwdExtendedRights cmdlet to view which users and groups have access to view stored passwords:
Find-AdmPwdExtendedRights –Identity “_Demos”
Find-AdmPwdExtendedRights output example
As you can see in the screenshot above, I don’t have any users that shouldn’t have access in my AD environment. If you do have users that shouldn’t be able to view the stored password information that show up in “ExtendedRightHolders,” you’ll need to remove their access to “All extended rights.” In Active Directory Users and Computers (ADUC), click View and ensure that you have Advanced Features checked. Right-click the OU name and then click Properties, Security, and Advanced.
Editing advanced permissions in Active Directory Users and Computers
Next, select the group (or user) that should not have access to view the managed Administrator passwords and click Edit. Clear the All extended rights check box. Click OKtwice to save the change.
Removing access to all extended rights
If you want to give additional groups access to view the passwords, you can use the Set-AdmPwdReadPasswordPermission cmdlet to give users or groups the ability to read the attributes:
Set-AdmPwdReadPasswordPermission –Identity “_Demos” –AllowedPrincipals “Help Desk”
Using Set-AdmPwdReadPasswordPermission to delegate additional groups
Update computer AD permission ^
Last, we’ll need to give the computers the ability to update the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes in Active Directory. Start by loading the module again (if you don’t already have it loaded) and running Set-AdmPwdComputerSelfPermission:
Set-AdmPwdComputerSelfPermission –Identity “_Demos”
Using Set-AdmPwdComputerSelfPermission to give computers write access to passwords
You’ll need to run this for each OU that will have managed computers but not the sub-OUs because the new permissions will apply to the sub-OUs.
At this point, our Active Directory infrastructure is configured to support the new Active Directory attributes and permissions for those attributes. In the last part of this series, I’ll cover setting up the clients and configuring the Group Policy for LAPS.
The last step in setting up the Microsoft Local Administrator Password Solution (LAPS) after updating the Active Directory (AD) schema and permissions is to install the client application and configure Group Policy.
Configuring Group Policy
In Part 2 of this series, How to set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory, we installed the Management Tools. If you’re using a management station, you’ll want to run one of the LAPS installers (either x86 or x64) and make sure that the GPO Editor templates are selected as part of the install.
Local Administrator Password Solution custom setup options for server
Next, open the Group Policy Management Console (GPMC) and either edit an existing Group Policy Object (GPO) for your computers or create a new one, and then right-click to edit it. In the GPO, go to Computer Configuration > Policies > Administrative Templates > LAPS.
LAPS policies in the Group Policy Management Console
First, you’ll want to enable password management with LAPS by setting the “Enable local admin password management” policy to Enabled.
Enable local admin password management
Next, you’ll want to enable the password settings and configure your password options. With this setting, you can configure the complexity (capital letters, lowercase letters, numbers, and special characters), length, and maximum password age.
Password settings for LAPS
LAPS can detect the local Administrator account using its well-known SID even if you’ve renamed the Administrator account on any of your systems. If you’ve created a secondary local Administrator account and you want LAPS to manage its password, you can set the username of that account using the “Name of administrator account to manage” policy.
Installing the client ^
The Microsoft LAPS client comes in both x86 and x64 flavors on the Microsoft Download Center. The MSI file defaults to installing just the Group Policy bits without any additi
Name of Administrator account to manage policy
onal options. So, you can use your deployment tool of choice and run:
|# For 64-bit/x64 systems
msiexec /q /i <a href=”file:///\\server\path\LAPS.x64.msi”>\\server\path\LAPS.x64.msi</a>
# For 32-bit/x86 systems
msiexec /q /I <a href=”file:///\\server\path\LAPS.x86.msi”>\\server\path\LAPS.x86.msi</a>
Just remember, LAPS only supports Windows Vista and up for client systems and Windows Server 2003 SP1 on server systems. Support for Windows XP is not included if you still have that floating around in your environment.
If you need assistance deploying the agent out to computers, Joseph has written a great guide on installing applications with Group Policy or System Center Configuration Manager(SCCM). My personal preference is to use Configuration Manager because it gives me access to reporting and lets me know if any clients have errors when trying to install the software.
Viewing passwords with the GUI ^
Two ways exist to view the password for a computer that has a LAPS-managed Administrator password. The first method is to use Active Directory Users and Computers (ADUC). In ADUC, click View and then confirm that Advanced Features has a check by it. If it doesn’t, clicking it will enable the Advanced Features.
Enable Advanced Features in Active Directory Users and Computers
Next, find the computer, double-click it, and then click the Attribute Editor tab. If the Attribute Editor tab is missing, either you haven’t enabled the Advanced Features or the account that you’re using doesn’t have appropriate permissions on the computer object. Scroll down until you find the ms-Mcs-AdmPwd attribute to view the password.
ms-Mcs-AdmPwd attribute on the Attribute Editor tab of computer properties
If you installed the full suite of Admin tools for LAPS, the “Fat client UI” will be installed on your management station. The actual installed application is called LAPS UI and can be found on the Start screen.
LAPS UI on the Start screen
When you run the LAPS UI application, you’ll need to enter the full name of the computer. Unfortunately, the LAPS application doesn’t currently allow you to search for computers in Active Directory; so, you’ll need to know the full name of the computer. After you enter the computer name, clicking the Search button will display the current Administrator password as well as the date and time that the password will expire. The LAPS UI application also allows you to set a new expiration time or force an immediate expiration. If the password or expiration fields are blank, the account you’re using most likely doesn’t have sufficient permissions to read the attribute in AD.
LAPS UI application showing a computer’s local Administrator password
Viewing passwords with PowerShell ^
The Management Tools also includes a PowerShell module that you can use for viewing passwords and forcing expiration. First, you’ll need to load the AdmPwd.PS module and then use the Get-AdmPwdPassword cmdlet:
Get-AdmPwdPassword –ComputerName WIN81-X64
Viewing an Administrator password with Get-AdmPwdPassword
If you need to force the password to change, you can use the Reset-AdmPwdPasswordcmdlet to force an immediate change to the password:
|Reset-AdmPwdPassword –ComputerName WIN81-X64
Adding -WhenEffective allows you to control the date and time that the password will update on the computer:
Reset-AdmPwdPassword –ComputerName WIN81-X64 –WhenEffective “6.14.2015 18:00”
Force a reset of a local Administrator password with Reset-AdmPwdPassword