Local Administrator Password Solution (LAPS)
Microsoft has offered a software LAPS (Local Administrator password solution), it solves the problem of common password of local administrator account on the every computers in a domain. For example on all domain joined computer’s Administrator password will be unique and only domain Admins or specific groups are authorized to view that password. LAPS only works on Domain Joined computers. Below are the some advantages of using LAPS.
- Periodically randomize local administrator passwords to ensure that password updates to Active Directory succeed before modifying local secrets and passwords.
- Centrally store secrets in the existing Active Directory infrastructure.
- Control access through Active Directory access control list (ACL) permissions.
- Transmit encrypted passwords from computers to Active Directory via encryption using the Kerberos version 5 protocol and the Advanced Encryption Standard (AES) cypher by default.
So lets deep dive and deploy it. You can download LAPS from Microsoft web site http://www.microsoft.com/en-sg/download/details.aspx?id=46899.
There is 64 bit and 32 bit installable is available, I will be using 64 Bit only as all my Windows OS in my infrastructure is 64 bit only, and second don’t forget to download those word docx files, Specially the LAPS_OperationsGuide.docx has lot more instructions, In fact I did all my lab testing and written this article using Operations Guide only, Its very much written thoroughly on each component of LAPS.
LAPS Requires Schema to be updated of your Active Directory, That is
the reason my first step will be verifying
I am on Domain controller holding Scheama Master role. To verify and find which role holds by which domain controller open cmd
prompt. Type
Netdom /query
fsmo.
It shows as below the list, my Schema master is hosted on DC AD001.vCloud.lab
and by running hostname command I can verify I logged on correct domain
controller.
Once I verified, open the folder where LAPS is copied, that folder is also shared because later we want to install same software on domain joined client machines as well. Run LAPS msi file. Setup is very simple, click NEXT on first page.
Accept the licensing part. Click Next.
Next click on each component of LAPS and select will be installed on local Hard Drive.
Fast client UI is GUI
Software where we can see password in clear text.
Powershell modules are
installed for management and commands for initial configuration or post
configuration.
GPO editor Template, deployed
in Group policy, we will see them later.
Click next. And Install software.
Once installation is completed finish it and open Group policy to
deploy LAPS on Servers. This step I will not go into great details step by step,
I have already written article for the same, how to install
software using group policy. But still you can follow the below screen shot
for your reference, as you can see all my computers are in Computers OU under
vCloud.lab and I have created once Group Policy Object and linked to Same
computers OU. LAPS is on UNC path \\ad001\softwares\LAPS folder. And in the
last, and after restart of my computers you can verify software is installed in
programs and features in control panel.
Open Powershell (Run as
administrator) on the AD001 (running schema master role). Run command to import
module,
Import-Module AdmPwd.PS
Next update the schema, make sure
you have correct permissions to perform this task. (You are a part of Schema
Administrator).
Update-AdmPwdADSchema
It will install required attributes
in AD.
Next command will Grant computer accounts in Computers OU to
be able to write/update their password in the active directory. With below
command they will write to self update active directory.
Set-AdmPwdComputerSelfPermission –OrgUnit ‘Computers’
This command is not necessary but I can see who has permissions to view
Local administrator’s password, by default System and Domain Admins have
permissions to view those password. Here I will add another group account Server_Admins
to view them password of servers.
Find-AdmPwdExtendedRights -Identity 'Computers'
Next command adds Server_admins group as delegated and they can view the
password now.
Set-AdmPwdReadPasswordPermission –OrgUnit ‘Computers’ –AllowedPrincipals
‘vcloud.lab\Server_Admins’
This the checkpoint that we have done with AD level configuration and
next step is configuration on Client side.
Here create another Group policy for the same Computers OU, you will
see there are 2 Policies now first is to deploy software and another is
LAPS_Policy for LAPS policy at client side. edit the new created policy, you will find under Computer configuration
>> Policies >> Administrative Templates New policy template is available with
the name LAPS. There are Main 2 settings we need to configure,
Enable Local admin password management - should be enable, it will
activate the deploied LAPS on client servers.
Password Settings – Here you can select how should be the password
complex.
Once Required changes are done Close the group policy editor and login to any of client machine and run gpupdate /force to apply changes immediately so we can view the results of LAPS.
Next on the same domain controller where we install LAPS go to installation folder c:\Program files\LAPS (if you are using 32 bit application you software will be installed on program files x86 folder). Run AdminPwdUI.exe as administrator. And search for the computer names, you will see each computer account has unique password for administrator.
Even if you don’t have AdminPwdUI tool instlled you can view the password from dsa.msc Active
Directory Users and Computers MMC. For this Advanced Feature must be checked in
View Menu.
Right click and goto properties of computer account, Go to Attribute
Editor tab and find the Attributes ms-Mcs-AdmPwd. If you are not a member of
domain admins for server_admins group as I added earlier, you won’t be able to
see this information.
Last and final step log in on Client001 with the above administrator account password. If it is successfull means deployment is good. I tried this step and i was good on this step.