Saturday, September 12, 2015

Local Administrator Password Solution (LAPS)

Local Administrator Password Solution (LAPS)
Microsoft has offered a software LAPS (Local Administrator password solution), it solves the problem of common password of local administrator account on the every computers in a domain. For example on all domain joined computer’s Administrator password will be unique and only domain Admins or specific groups are authorized to view that password. LAPS only works on Domain Joined computers. Below are the some advantages of using LAPS.

  • Periodically randomize local administrator passwords to ensure that password updates to Active Directory succeed before modifying local secrets and passwords.
  • Centrally store secrets in the existing Active Directory infrastructure.
  • Control access through Active Directory access control list (ACL) permissions.
  • Transmit encrypted passwords from computers to Active Directory via encryption using the Kerberos version 5 protocol and the Advanced Encryption Standard (AES) cypher by default.
So lets deep dive and deploy it. You can download LAPS from Microsoft web site http://www.microsoft.com/en-sg/download/details.aspx?id=46899.
There is 64 bit and 32 bit installable is available, I will be using 64 Bit only as all my Windows OS in my infrastructure is 64 bit only, and second don’t forget to download those word docx files, Specially the LAPS_OperationsGuide.docx has lot more instructions, In fact I did all my lab testing and written this article using Operations Guide only, Its very much written thoroughly on each component of LAPS.
LAPS Requires Schema to be updated of your Active Directory, That is the reason my first step will be verifying I am on Domain controller holding Scheama Master role. To verify and find which role holds by which domain controller open cmd prompt. Type

Netdom /query fsmo.

It shows as below the list, my Schema master is hosted on DC AD001.vCloud.lab and by running hostname command I can verify I logged on correct domain controller.

Once I verified, open the folder where LAPS is copied, that folder is also shared because later we want to install same software on domain joined client machines as well. Run LAPS msi file. Setup is very simple, click NEXT on first page.
Accept the licensing part. Click Next.

Next click on each component of LAPS and select will be installed on local Hard Drive.

Fast client UI
is GUI Software where we can see password in clear text.
Powershell modules are installed for management and commands for initial configuration or post configuration.
GPO editor Template, deployed in Group policy, we will see them later.

Click next. And Install software.

Once installation is completed finish it and open Group policy to deploy LAPS on Servers. This step I will not go into great details step by step, I have already written article for the same, how to install software using group policy. But still you can follow the below screen shot for your reference, as you can see all my computers are in Computers OU under vCloud.lab and I have created once Group Policy Object and linked to Same computers OU. LAPS is on UNC path \\ad001\softwares\LAPS folder. And in the last, and after restart of my computers you can verify software is installed in programs and features in control panel.

If you don’t want to use Group Policy and want to install software on selected computers you can use my any of technique Multiple ways to Install software remotely.

Open Powershell (Run as administrator) on the AD001 (running schema master role). Run command to import module,
Import-Module AdmPwd.PS

Next update the schema, make sure you have correct permissions to perform this task. (You are a part of Schema Administrator).
Update-AdmPwdADSchema
It will install required attributes in AD.

Next command will Grant computer accounts in Computers OU to be able to write/update their password in the active directory. With below command they will write to self update active directory.
Set-AdmPwdComputerSelfPermission –OrgUnit ‘Computers’


This command is not necessary but I can see who has permissions to view Local administrator’s password, by default System and Domain Admins have permissions to view those password. Here I will add another group account Server_Admins to view them password of servers.
Find-AdmPwdExtendedRights -Identity 'Computers'


Next command adds Server_admins group as delegated and they can view the password now.
Set-AdmPwdReadPasswordPermission –OrgUnit ‘Computers’ –AllowedPrincipals ‘vcloud.lab\Server_Admins’

This the checkpoint that we have done with AD level configuration and next step is configuration on Client side.
Here create another Group policy for the same Computers OU, you will see there are 2 Policies now first is to deploy software and another is LAPS_Policy for LAPS policy at client side. edit the new created policy, you will find under Computer configuration >> Policies >> Administrative Templates New policy template is available with the name LAPS. There are Main 2 settings we need to configure,
Enable Local admin password management - should be enable, it will activate the deploied LAPS on client servers.
Password Settings – Here you can select how should be the password complex.


Once Required changes are done Close the group policy editor and login to any of client machine and run gpupdate /force to apply changes immediately so we can view the results of LAPS.

Next on the same domain controller where we install LAPS go to installation folder c:\Program files\LAPS (if you are using 32 bit application you software will be installed on program files x86 folder). Run AdminPwdUI.exe as administrator. And search for the computer names, you will see each computer account has unique password for administrator.
Even if you don’t have AdminPwdUI tool instlled  you can view the password from dsa.msc Active Directory Users and Computers MMC. For this Advanced Feature must be checked in View Menu.

Right click and goto properties of computer account, Go to Attribute Editor tab and find the Attributes ms-Mcs-AdmPwd. If you are not a member of domain admins for server_admins group as I added earlier, you won’t be able to see this information.

Last and final step log in on Client001 with the above administrator account password. If it is successfull means deployment is good. I tried this step and i was good on this step.

No comments: