The Microsoft Local Administrator Password Solution (LAPS) allows organizations to securely rotate the local Administrator passwords for their desktops, laptops, tablets, and servers. In this article, I’ll cover several of the most frequently asked questions I’ve received about LAPS.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Does the Microsoft Local Administrator Password Solution (LAPS) require an agent? I really don’t want to install yet another agent on my computers. (Special thanks to reader Mike for this question.)

No, LAPS does not require an agent. For LAPS to function on workstations and servers, a Group Policy Client Side Extension (CSE) will need to be installed. The Group Policy CSE is not an agent. Typically, an agent is a service that runs at system startup and continues to run in the background to provide telemetry or some other data back to a central system such as System Center Configuration Manager, Operations Manager, or an antivirus monitoring platform. The CSE only runs at Group Policy refresh cycles.

Local Administrator Password Solution Setup - Manual install of Group Policy CSE
Local Administrator Password Solution Setup - Manual install of Group Policy CSE

Can I use LAPS without installing the Active Directory schema changes?

No, you cannot use LAPS without installing the AD schema changes. The schema update adds the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes that LAPS requires.

Does LAPS require an additional infrastructure such as additional application servers or SQL?

No. LAPS requires two additions to your AD schema. LAPS also requires that an additional Group Policy Client Side Extension (CSE) be installed on all of the managed computers. You will not need to run an additional application server or SQL server to use LAPS.

Is storing the Administrator password in AD in plain text secure?

The ms-Mcs-AdmPwd attribute in AD is a confidential attribute protected by an Access Control List (ACL). Only users with permissions to view this attribute can view the password (that is, Domain Admins and anyone else they’ve delegated access to). Keeping the same local Administrator password across large groups of systems is a much bigger security risk.

If the passwords are stored in AD, can’t anyone with AD access view them?

No, only users with adequate permissions can view the stored passwords. You can use the Find-AdmPwdExtendedRights PowerShell cmdlet to view which groups and users can view the stored passwords. You can use the Set-AdmPwdReadPasswordPermission PowerShell cmdlet to give groups and/or users access to view the passwords.

Find-AdmPwdExtendedRights output example

Find-AdmPwdExtendedRights output example

Can I require two-factor authentication (2FA) to view the passwords LAPS has stored in AD?

Access to the ms-Mcs-AdmPwd attribute is controlled with a user’s regular AD credentials. You would need to implement 2FA for all user logons that have access to that data in AD. You won’t be able to require 2FA for just accessing that attribute without implementing some kind of custom solution.

What happens if an admin’s account is compromised? Wouldn’t the compromised account have access to the stored passwords?

If a user with adequate rights to view the ms-Mcs-AdmPwd attribute is compromised, that account could be used to pull all of the local Administrator passwords from your domain (or subset of computers if the user account can only view Administrator passwords for specific OUs in the domain). Typically, this kind of account would already have had enough rights to reset the password remotely on any of those computers or wreak other havoc with the delegated privileged access.

The upside of having LAPS in place is that you can now force a password reset on all systems that could have a compromised Admin password and then see in AD if they’ve updated.

Can LAPS manage the password of the local Administrator account and a custom local administrator account with a different name at the same time?

You can manage either the default Administrator account (including if the account has been renamed) or a secondary local Administrator account that you’ve created, but not both.

What happens if the computer loses its connection/trust with Active Directory? Will LAPS change the local Administrator password on the computer, but fail to update it in AD? If this happens, I won’t know the local Administrator password. (Special thanks to reader Ken D. for this question.)

The password that is stored in AD is the computer’s current password—even if the password should have expired. In this situation, the computer’s Group Policy Client Side Extension (running in the Local SYSTEM context) would be unable to check the expiration date stored in AD. When that happens, the password change process would stop. You would need to re-establish the computer’s AD trust before the local Administrator password changes again.

Can LAPS manage the local Administrator passwords on non–domain-joined machines?

No. Computers must be domain-joined to be managed by LAPS.

Can LAPS change the stored password for a service if it is using the local Administrator account?

No. LAPS will only update the local Administrator password. It will not update the service to use the new password.

Aren’t there more elaborate solutions that can do more than just randomize the local Administrator password? What if I need to rotate passwords for service accounts or do something more advanced?

Microsoft LAPS is designed to randomize passwords of the local Administrator (or a custom Administrator account) for domain-joined systems without the need to implement additional infrastructure. This gives organizations a way to randomize those local passwords to prevent large numbers of computers from being vulnerable to Pass-the-Hash attacks or from being compromised if that password becomes known. Yes, much more elaborate solutions exist if you’re willing to pay for them and take the effort to implement additional infrastructure.

What if my question isn’t listed here?
Feel free to ask your question in the comments section below!

Win the monthly 4sysops member prize for IT pros

Share
2+

Users who have LIKED this post:

  • avatar

121 Comments
  1. Tres 2 years ago

    All of our computers have the local administrator account and a local administrator administrator named IT. Can LAPS do both the administrator account and the IT account or do I need to go through the process of deleting one.

    0

  2. Kris 2 years ago

    Is there auditing / logging available with LAPS? Is there a local log on the client, or an event ID I can use to audit password changes, etc?

    0

    • Author
      Kyle Beckman 2 years ago

      LAPS logs to the Application Event Log with the Source AdmPwd. By default, LAPS only logs errors, but you can modify that in the Registry in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}\ExtensionDebugLevel . 0 (the default) is errors only, 1 logs errors and warnings, and 2 is verbose logging.

      0

  3. Kris 2 years ago

    Kyle, thanks for answering the question about logging / auditing. What about any logging available on domain controllers when the AD attribute is changed? We would like a central way to show when passwords were changed for Security audits.

    Thanks!

    0

    • Author
      Kyle Beckman 2 years ago

      I'm not seeing anything in the documentation about that. You'd need to enable some additional auditing in AD to do that.

      0

    • Kulm 9 months ago

      The LAPS documentation mentions the way to audit is to enable auditing on the DCs and parse for event 4662 with the specific LAPS schema GUID for the attribute ms-mcs-AdmPwd, the GUID is placed into the parameters value of the event log. This approach doesn't work - SCOM monitoring in our environment (several thousand users) revealed that the schema GUID was populated on 4662 events for events not related to machine passwords and LAPS.

      Sometimes I want to get a big stick and hit the Ms developers over the head, surely they could have easily coded a different event ID to allow machine password access to be audited?

      0

  4. The Guy 2 years ago

    I presented this solution to my co-workers but their main concern was the schema changes to AD. For no reason at all they were not interested due to the schema changes. Any argument against this stance?

    0

    • Author
      Kyle Beckman 2 years ago

      Your alternative is to be vulnerable to pass-the-hash attacks because you're not randomizing local Administrator accounts. It's kind of hard for me to argue against a stance that doesn't have a justification.

      0

  5. Chi 2 years ago

    1) how quickly after expiration does a new password get generated and sent to AD?
    2) Prior to Microsoft making changes to GPO managed local admin passwords, we had a GPO in place. What is the easiest way to remove those GPO settings from all the workstations?

    0

    • Author
      Kyle Beckman 2 years ago

      LAPS updates when the Group Policy CSE runs during a Group Policy refresh. You can run it manually, kick it off from a management station if you have network access, kick it off from a script from a tool like SCCM, or just wait for the refresh to happen.
      Just remove the GPO (or the setting in the GPO) and you should be good to go.

      0

  6. Joe 2 years ago

    We just configured LAPS and it seemed to work fine but when Group Policy updates the LAPS password no longer works, we have the retention set for 42 days. If we reset it then run gpupate it will work until Group Policy runs again. I moved a single server into a test OU with no other GPO's being applied and it still does not work properly. Any ideas of what we may have missed here? Thanks, Joe.

    1+

    • Author
      Kyle Beckman 2 years ago

      There are three possibilities I can think of: a Group Policy processing issue, another policy applying that is changing the password, or someone is changing it manually. First, make sure that you don't have an old Group Policy Preference or script that is changing the password. I would check the local Event Logs to see when the password is being changed too; you may have an employee that is changing it. Second, the time that you set isn't an expiration in the sense that the password will expire. That time tells the LAPS CSE that it needs to change the password on the local system. The process that the CSE uses shouldn't change the password on the local system if it can't update it in AD. Also, if you're moving a test system to another OU and it still isn't working, did you make sure that the LAPS policy was still applying? LAPS doesn't work without the Group Policy configuration in place.

      0

  7. Old Surehand 2 years ago

    Unfortunately LAPS does not deliver one critical functionality. Consider this. After LAPS is deployed passwords and expiration dates are published in AD. A user with local admin rights resets the local administrator's password manually. This is not detected by LAPS on the next group policy refresh interval. Because of that, LAPS does not return local administrator's password to the value published in the AD. This leaves incorrect password value in the AD which authorized admins cannot use. They can reset password from dsa.msc console, but only if the computer is still joined to the domain. If not, tough luck and they must turn to other tools. Because of that LAPS is useless.

    0

    • Author
      Kyle Beckman 2 years ago

      If you've got employees using their Admin rights to remove computers from AD or the local Administrator password without permission, that's a problem that should be solved through HR... not with technology. Assuming they have a business need to change the local Administrator password, the best way to handle that situation would be to make sure their machine gets a policy that changes the local Administrator password more regularly.

      2+

  8. Old Surehand 2 years ago

    Kyle, I cannot agree that this is not technology problem. We had a technology tat continously updated password according to policy on regular refresh intervals. This is now gone. What LAPS should do is simply read ms-Mcs-AdmPwd attribute and apply it's value to local password on a regular group policy interval. Simple as that. Now as it is, the solution is useless. It took me a couple of days implementing and testing. From the beginning I was under impression that LAPS would at least keep the essential functionality that existed with Group Policy Preferences, ie resetting password to default value at GP intervals. After all this is how restricted groups GP works as well. I was very dissapointed to discover it is not the case. I feel I need to bring this news to other colleagues and save them a day or two of work. By the way I did deploy LAPS at the customer, but I am now waiting for their decision if they want to keep it.

    0

    • Author
      Kyle Beckman 2 years ago

      If a user is doing something on a computer that he/she shouldn't be doing, that is typically a policy issue in the organizations where I've worked/consulted. The employee violating that policy would be dealt with through an HR process. That said, we'll just have to agree to disagree on the issue. If you do have an environment where IT is being asked to implement a control because employees are constantly changing the local Administrator password, LAPS may not be the right product for you or you may need to set the threshold for expiration to a much lower number.

      LAPS is a Group Policy Client Side Extension... not a server-side product. The CSE checks in to see if the date in AD is expired. If the date has passed, it updates the local Administrator password on the client and in AD. The server can't/won't reach out to the client to update the password because it is simply a repository for the password and date. If you would like the CSE to have the ability to re-apply the password to the client until the expiration, I would encourage you to submit that as an enhancement request to Microsoft on Connect. LAPS is intended as a way for organizations to mitigate Pass-the-Hash attacks by randomizing passwords on client systems. If you need something more robust that can re-apply passwords, update service accounts, report on end users changing passwords, etc., you may want to look into a 3rd party product that has more advanced features.

      0

  9. 2 Domains 2 years ago

    If your workstation is joined to Domain A can you use the LAPS UI to retrieve local passwords in Domain B ?

    0

    • Author
      Kyle Beckman 2 years ago

      The passwords are stored in AD as an attribute. As long as the account you're using has appropriate permissions to view the attribute, you should be able to view it.

      0

  10. 2 Domains 2 years ago

    Domain A and Domain B have a 2 way trust by the way

    0

  11. 2 Domains 2 years ago

    For some Reason since my workstation is another Domain when I run the LAPS UI it just says Computer not Found when the server is in the other Domain

    0

    • Author
      Kyle Beckman 2 years ago

      It sounds like the GUI tool is probably trying to perform the lookup in your computer's domain. You could try adding the domain suffix for the computer you're looking for, but I'm guessing that may not work either. It may be necessary for you to run the LAPS GUI from a jump box that is on the domain of the computer you need to manage. If you're just trying to view the password, you can do that in ADUC.

      0

  12. Drew 2 years ago

    I know...I know...I know... that the purpose of this great tool is to manage and randomize Local admin passwords. With that said my org. (aka upper mgmt) is adamant about not randomizing the pwd for the local admin acct (something about being too complex for our workstation admins). Can I still use this tool?

    0

    • Author
      Kyle Beckman 2 years ago

      That's the whole point of the product. You'll probably want to look into a 3rd party solution for your organization's requirements.

      0

  13. Ravindra Sharma 2 years ago

    I have performed the above steps and able to find the new password for my test machine (local admin) but that password does't work ..still old password is active..it's been more than 2 days i am trying to find solution..can any expert help me to solve this issue.

    1+

    • Author
      Kyle Beckman 2 years ago

      Ravindra, This really isn't much information for me to work from. Do you have any other outside system (like Group Policy Preferences) that could be changing the local Administrator password? Have you checked the Event Logs to see what actions LAPS has performed or if something is changing the password of the Administrator account?

      0

    • Ren 10 months ago

      Hello Ravindra,

      were you able to solve this issue?

       

       

      0

  14. Shanif 2 years ago

    I have one question. If we are resetting the local administrator manually in a LAPS enabled environment, what will happen.? Will LAPS change the password on next gpupdate or will it wait until the password expiry date..?

    1+

    • Author
      Kyle Beckman 2 years ago

      No, LAPS will wait until the expiration to update the password again. It will not re-apply the password that is stored in AD.

      0

  15. Joe Gasper 2 years ago

    Kyle, for those worried about their "trusted" staff manually changing the password and LAPS not recording it, could they set expiration to 1 day and reduce the time frame the password and its LAPS entry be put of sync? Also, could you enable auditing on the attribute to log reads and know who looked at a computers password? Thanks for the LAPS walk through. We were thinking of deploying LAPS-E (the encrypted version) but MS pulled it. Still going to implement something. Might just randomize on boot or scheduled task and not care about the password (very rare use) as we are licensed for DART and can just reset it if needed. Thanks again.

    0

  16. Joe Gasper 2 years ago

    And I should have kept reading to FAQ page 2... nice. Yes, thanks again.

    0

  17. Brecht 2 years ago

    Nice writeup, thanks!

    0

  18. Jason King 2 years ago

    I have been installing laps for a while now but I am seeing that the password is not actually being set on the machine. I see it changing in AD and i can see the events that the password has been changed but the password never actually changes. Has anyone else had this issue?

    0

    • Author
      Kyle Beckman 2 years ago

      I would enable the logging for LAPS on the client and set it to Verbose to see what is going on at the client. The second part of the FAQ has the Registry key to do this. I would also check your other Group Policy, SCCM, or any other system that can push configuration out to your clients. If you have an old Group Policy Preference or script that is pushing the password down to the local Administrator account, that would overwrite the work LAPS is doing.

      0

    • Ren 10 months ago

      i have the same issue. have you come up with solution? were you able to solve the issue?

      0

      • Author
        Kyle Beckman 10 months ago

        Ren - Did you follow the instructions I gave the previous person?  Did you enable logging on the client to see what it is doing?

        0

  19. Kaleb 2 years ago

    The adm template is not showing in the domain policy when I want to create the policy, it would however show the LAPS template in the local group policy. Any issues as to why this is happening? I did it twice in my test environment and it worked,

    0

    • Author
      Kyle Beckman 2 years ago

      If it worked in your test environment, it sounds like your Test and Production environments either aren't identical or you might have done something differently the second time in Production. Do you have the Group Policy Central Store in Prod and not in Test? Did you copy the files on to the same management station where you're trying to create the policy?

      0

  20. kaleb 2 years ago

    I had to manually copy the admx and adml files to my group policy central store in my production environment, something which i didn't had to do in my test environment since they automatically appeared in the GP. passwords are being showed in AD and when i used the LAPS gui tool but for some reason the password is not being changed on the machine. any ideas? I have reset two times and the reset does happens but it just does not changed the initial local admin password i initially had before LAPS.

    0

    • Author
      Kyle Beckman 2 years ago

      It sounds like your Test environment doesn't have the Group Policy Central Store enabled then. If it did, you would have had to copy the ADMX/ADML files over.

      First off, make sure you're running the GUI tool with Admin rights (Right-click, Run as Administrator) just to be sure that isn't it. Otherwise, I'd enable Verbose logging on the client and see what the client is doing.

      0

  21. kaleb 2 years ago

    also can this password password solution be applied to servers without any issues??

    0

    • Author
      Kyle Beckman 2 years ago

      Yes, it can be applied to servers. Whether you'll have any issues is dependent on if you're using the local Administrator account on your servers. If you are, you'll need to switch to an AD-based service account or have a strategy for updating the password in your service.

      0

  22. RyanB 2 years ago

    So, My workstation admin needs to hop from workstation to workstation without being able to log into ADUC to find the local admin password for the next workstation that he needs to work on. Can i run a report to query AD and dump the current passwords into a text file so they are available to him for when he needs them? I am thinking put them in a password manager or something similar. Is there a better way to accomplish this

    0

    • Author
      Kyle Beckman 2 years ago

      Yes! Check out Part 2 of the FAQ. You can use the Get-AdmPwdPassword PowerShell cmdlet to pull lists of passwords for machines.

      Honestly, you're probably better off giving your workstation admin a dedicated account that has admin rights on the machines. He/she could then jump machine to machine with one account. In the event a machine wasn't on the domain, then you could have a way for him/her to get to the local Administrator passwords. A password manager should be fine... just keep in mind that the passwords will expire and change. You'll want to make sure you're regularly updating your saved copy and keeping the date with it so the tech knows if it has expired.

      0

  23. Shanif 2 years ago

    We have implemented LAPS in our organization. We have around 2000 computers. However recently we had faced one issue that we deleted a machine from domain and created a computer account with same name. After we needed to obtain the password of the old computer. But old computer was not available in active directory recycle bin. How we can over come this issue..?

    0

    • Author
      Kyle Beckman 2 years ago

      The easiest way would be to use a tool like DaRT to boot the system and reset the local Administrator password.

      0

  24. Michael Morrison 2 years ago

    Hi Kyle. Thank you for this FAQ. I did want to elaborate further on one of the questions.

    What happens if the computer loses its connection/trust with Active Directory? Will LAPS change the local Administrator password on the computer, but fail to update it in AD? If this happens, I won’t know the local Administrator password. (Special thanks to reader Ken D. for this question.)

    I am in a situation where a remote PC has lost its trust relationship with AD. LAPS is providing a password, that is still within the expiration date, but it is not working. I do not have any cached credentials for another user account with local admin rights on this remote machine. This has happened 3 times in the past 4 weeks in my environment and I am fairly certain no one is changing the password locally. Do you know what might be going on here?

    0

  25. vdhiman63 2 years ago

    Hi Kyle,
    I have succesfully tested the Local Admin Password Soln on my test env. The only thing iam not able to come across online is a command to revoke access provided to a group.
    for these commands below , is there a revoke/remove switch as well ? e.g. - if i want to remove Domain Admins to read password or if i want to remove a particular OU of computers from SelfPermission that i may have already granted  ?
    1. Set-AdmPwdReadPasswordPermission
    2. Set-AdmPwdComputerSelfPermission
    Thanks

    0

    • Author
      Kyle Beckman 2 years ago

      Domain Admins can undo anything that you're doing. It would be a waste of time to try and deny access to anyone in the Domain Admins group since they can just give themselves access again.

      0

  26. MingN 2 years ago

    Hi,

    We are using SCCM to deploy LAPS CSE to managed computers. Is it possible to push along in the same package of LAPS CSE deployment the creation of the new ExtensionDebugLevel REG_DWORD to enable additional logging?

    I am aware that the {D76B9641-3288-4f75-942D-087DE603E3EA} will only exist after the LAPS CSE has been installed on computers.

    How can I achieve that via SCCM?

    Cheers

    0

    • Author
      Kyle Beckman 2 years ago

      Unfortunately, I don't use SCCM enough to know how to do that. You can create any Registry entry you want... you don't have to depend on the CSE to be installed for it to be on the system. If these are domain-joined systems, I'd probably use Group Policy Preferences. If you want to use SCCM, create a secondary package that runs a script to add the Registry entries and make it dependent on the LAPS CSE install.

      0

    • asd 11 months ago

      You can create a batch file and deploy it using the reg add command with the correct details after the laps client has been installed

      0

  27. MingN 2 years ago

    In an environment where there will be many management computer (each service desk personnel), then there is no need to install the GPO Editor templates option, is this correct?

    From my understanding GPO editor template tool only need to be installed once (on a management computer, not DC) to get the LAPs administration template files to be used in (copy-to) central store GPO.

    Other management computers only need to have FAT client UI & Powershell module installed. correct?

    Thanks

     

    0

    • Author
      Kyle Beckman 2 years ago

      Correct... you only need the Group Policy ADMX files on computers that will edit the policy for LAPS. If your service desk personnel are going to need to view passwords and force updates/resets, yes... they'll need the client UI and PowerShell module installed.

      0

  28. Thomas H. 2 years ago

    Problem with LAPS I hope you can clarify.   The company I work has recently implemented LAPS. However I think there may have been unforeseen issues that weren't planned for.  We have a policy that if a pc hasn't communicated to a domain Control for 2 months it is scavenged and drops off the Domain.  We have users that work from home via VPN and for some reason they sometimes fall off the Domain.  I have found that if a PC falls of the domain we are unable to log in as Local Admin with LAPS and are left with no choice but to re-image.  I am not a system/domain admin but a desktop support tech who has to tell the user we can's recover their data.  So wanted to know if there is a solutions to resolve this situation.

    0

    • Author
      Kyle Beckman 2 years ago

      My initial thought is that these PC's may not be communicating with Active Directory like they should be. I'd start there and make sure that they're communicating like they're supposed to be. 2 months seems really low to me... I work in Higher Ed and it is very normal for a computer to go longer than 2 months without connecting back in to campus. Your organization may want to ensure that the Active Directory Recycle Bin is enabled and the tombstoneLifetime is set to something longer than 60 days so you can recover those objects. It would be much easier than using something like DaRT to reset the password and then re-adding them to AD.

      0

  29. Shawn 2 years ago

     
    Thomas – we have the same issue. Without restating, how does one recover a LAPS generated password or reset one on a client computer with a trust issue that no longer exists in AD anymore?
     
    We currently blank passwords on Win 7 boxes with old school 3 party disks and hack our way into Win 10 clients as well.  I saw your comment about DaRT and MDOP with Software Assurance, is this the way that MS wants us to manage the issue?
     

    0

    • Author
      Kyle Beckman 2 years ago

      If you've got computers that are losing their trust with AD, you've got a bigger issue you need to solve. You shouldn't be needed to do an offline edit regularly to get back into the boxes. Have you investigated why you've got boxes losing their trust with AD? In 10 years, I can think of maybe two times it happened to me in my old environment.

      0

  30. Roger Kagan 2 years ago

    I am doing some testing.

    What about using LAPS for the DSRM password?

    It seems to work so far.

     

    0

  31. Bberies 2 years ago

    We have push out LAPS to most computers and majority of them seem to be good.

    However, there are some computers out there that also have the GPO CSE  installed and received the LAPS gpo with the relevant SELF permission set (same OU as the rest that are working), but they the two ms-Mcs-AdmPwd & ms-Mcs-AdmPwdExpiration are not showing in the computer object (in attributes editor).

    What could be the issue?

    thanks

    0

  32. Bberies 2 years ago

    To add more info on my above question -

    After few reboot, the ms-Mcs-AdmPwdExpiration  is now showing up in attributes editor of the computer object.

    However, ms-Mcs-AdmPwd  still missing.

    Force a password change via LAPS UI. it said Password reset request was successful.

    the ms-Mcs-AdmPwd still missing.

    note: The Local Administrator Account password of this VM has been manually changed before LAPS was implemented.

    Please shed some lights.

     

    0

  33. Usaid 2 years ago

    I implemented solution and the application can set/reset password for only machine, where I have installed both fat client and CSE both, but not working for other machine, on which I have installed only CSE, saying ms-Mcs-AdmPwd <not set>

    0

  34. Jeremy 2 years ago

    I am currently running test on LAPS for the company i work for... Is there a way to rename and enable/ disable the Admin accounts from LAPS group policy? Like I said We are testing the software and DO NOT want to mess with the local group policies just the LAPS GP

    0

    • Author
      Kyle Beckman 10 months ago

      I'm not sure I totally understand what you're trying to do.  When I originally tested LAPS, I created a new sub-OU with the computers I was testing with.  I linked the LAPS GPO there and it only impacted those test computers.  It still allowed them to get all the policy they would normally get.

      0

  35. Red 1 year ago

    Hi,

    I'm in a corporate environment and we want to tesl LASP but all our PC have the built-in Administrator account disabled and every PC has local administrator account, with a different name for every PC.

    Is this somehow supported? Does LAPS recognize an account with administrative privilege with different name for every PC? And what about if a PC has two local administrative account ?

     

    Regards.

     

    Red.

    0

    • Author
      Kyle Beckman 10 months ago

      Obfuscating the local Administrator account isn't really security.  Enumerating that username is fairly trivial.  You'll need to switch to the standard local Administrator account or start using a single custom username to use LAPS.

      0

  36. Brent 1 year ago

    Hi,

    i have tested the LAPS in our testdomain. It is work perfect. Also change the password works correct. (After gpudate) but for machine behind a RODC i become a error "Could not get computer object from AD:Error 0x80070051" I have also set the FAS for RODC to replicate the attribute for  ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime

    Regards

    Brent

    0

    • Author
      Kyle Beckman 10 months ago

      I haven't tested with a RODC, but LAPS is going to have to write data back to a DC.  If it can't do that, it can't update the stored password.

      0

  37. Jeff 1 year ago

    Is there anyway to use powershell to run through all computers to see which, if any, LAPS ms-Mcs-AdmPwd didn't get put in as it should have through a GPO?

    0

    • Author
      Kyle Beckman 10 months ago

      Do you mean to see if the local computer has a different password than LAPS?

      0

  38. Randy Smith 1 year ago

    I am having trouble finding an answer to this, as I am just starting the venture into using this application. Does the admin GUI need to run off of a DC? Or can I just use domain admin credentials somewhere to use the GUI on a domain workstation?

    0

  39. Garrett Petschke 1 year ago

    I'm in the process of installing LAPS at the organization that I work for.  I have two questions...

    1. If you have a secondary custom local admin account, can you deploy a second GPO for LAPS to manage that?

    2. For PCs that are being managed, can the local admin account become locked when the LAPS generated password is entered incorrectly multiple times?  What are the steps to recover from this, if so?

    0

    • Author
      Kyle Beckman 10 months ago

      No.  You can use local Administrator or a custom account, not both.
      It would depend on the policy you've set on the machine.  Recovery would be the same for any locked out account.

      0

  40. Werner 1 year ago

    We are using LAPS for some time in our environment. We also have a lot of virtual servers and using snapshots from time to time for updating applications. I already faced a problem that the password was changed after the snapshot and that the password for the computer also changed. We wanted to go back to the snapshot. The result was a server that you can't logon anymore, because the computeraccount had a newer password (no trust anymore) and the local password was also newer. Is there a way to get the old local password?

    1+

    • Author
      Kyle Beckman 10 months ago

      Unless you're using a third-party application or writing something in PowerShell to regularly dump the passwords, nope.

      0

  41. Tim 1 year ago

    What if the userer changes the local admin password himself?
    Is the password mirrored to AD or is the password overwritten from the one set in AD?

    Thank you!

    0

    • Author
      Kyle Beckman 10 months ago

      Nope.  If a user with local Admin rights on the computer changes the password, you no longer know the local Administrator password on the system.

      0

  42. sadiq 1 year ago

    After installing the LAPs, I got this problem. please help me to fix this problem.....Thanks

    User Name
    Administrator

    Client IP Address
    10.100.1.31

    Client Host Name
    10.100.1.31

    Domain Controller
    DOMAIN.john.com

    Logon Time
    Nov 18,2016 02:15:29 PM

    Event Type
    Failure

    Failure Reason
    Bad password

    Domain
    krbtgt/john.com

    Remarks
    Kerberos pre-authentication failed.

    Logon Service
    krbtgt/john.com

    SID
    %{S-1-5-21-2415345328-180167431-1577633172-500}

    Event Number
    4771

    Event Code
    16

     

    0

    • Author
      Kyle Beckman 10 months ago

      This isn't terribly useful without context.  Is this on the client or the server?  What other steps have you performed?

      0

  43. Gandhasree 1 year ago

    Hi,

     

    I have configured LAPS in my environment. After the configuration, LAPS UI is now showing the password

    Everything is properly configured

    0

  44. CMAN 12 months ago

    kyle or anyone?

    what happens if the DC is down how can you read the passwords?

    0

    • Author
      Kyle Beckman 10 months ago

      DC? Singular?  You can't read the passwords if the DC is down.  Why do you only have one DC?

      0

  45. Ren 11 months ago

    Hello, i'm not sure if anyone encountered same issue am having. I've setup LAPS to our domain. Everything looks fine. I see the attribute with the password and security is also setup and delegated. However, if i use the password stored in attribute, the password does not seem to work. Please advise.

    0

  46. Andre Dupre Kuiper 11 months ago

    Hi Ren,

    Have you tried setting a new expiration time through LAPS UI? Choosing a date in the past then restarting the client will force a new password to be set.

    I have noticed that a newly imaged machine (without removing the object from AD) will show the old password in LAPS but it won't work until I set a new one.

    0

    • Ren 11 months ago

      Hello Andre,

      I appreciate your response. I've tried setting a new expiration choosing the date in the past, waited half day and run gpupdate, restarted the machine, checked to make sure gpo is applied but still the password in ADUC does not work. I've tried setting a new expiration and this time the date in the future but same thing.

      Please advise.

      Ren

      0

  47. Andre Dupre Kuiper 11 months ago

    Ren,

    Strange... When you set the expiration to a date in the past, after restarting the client, did the password in ADUC/LAPS UI change? When you look at your group policy scope and filtering is the computer object subject to your LAPS policy?

    If you have another administrator account you can log in with you could open an elevated command prompt and run "gpresults /r". Verify under the Computer Settings > Applied Group Policy Objects section that you see your LAPS policy.

    It may be the case that the computer object is not in the correct OU or group.

    0

    • Ren 11 months ago

      I agree, very strange. I searched everywhere if i missed something and i even reconfigured it again but same thing.

      -Yes the password shows in ADUC.

      -Yes the password changed after i set the expiration to past.

      -Yes the policy is applied after running gpresult /r.

      -Under security filtering, computer is added and made sure the "apply group policy" is checked on.

      -I enforced LAPS GPO.

      -LAPS is installed on the machine.

      0

  48. Andre Dupre Kuiper 11 months ago

    Ren,

    Hmm, it seems like you're doing everything correctly.

    It may sound dumb but are you typing in the admin password? I prefer to use Remote Desktop, then copy/paste the password, as I find it difficult to distinguish between some of the characters.

    And the account you're trying to log into is the built in local administrator (assuming you didn't point LAPS at a different account) using ".\administrator" to prevent it from trying to use a domain account.

    Other than that I'm running out of ideas for you to try, sorry.

    1+

    • Ren 11 months ago

      Yes im typing the password and i did try copy and paste

      We are not using the builtin local admin. Could that be the issue? I see documents that you specify the local admin name on laps gpo and it should work.

      No worries. I appreciate your time.

      0

      • Author
        Kyle Beckman 10 months ago

        Sounds like that is your problem.  If you're not using the local Administrator account, you have to specify the username of the account in the GPO.

        0

        • Ren 10 months ago

          Hello Kyle, i did specify the the username of our local admin account but that didn't help.

          0

  49. Ren 10 months ago

    Please Help!

    When i issued the command "Set-AdmPwdComputerSelfPermission -OrgUnit <OU where the Client Machines are Stored>"  

    I get below Error....

    PS C:\windows\system32> Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,OU=Managed,DC=domain,DC=ca"
    Set-AdmPwdComputerSelfPermission : The object does not exist.
    At line:1 char:1
    + Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,OU=Managed,DC=domain, ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-AdmPwdComputerSelfPermission], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.DelegateCom
    rSelfPermission

    0

    • Author
      Kyle Beckman 10 months ago

      The error is right there: "The object does not exist."  Does that OU actually exist or is that actually a folder in your AD?

      0

  50. ryan pietrow 8 months ago

    Hello im having an issue extending the schema, when i do the update-Admpwdadschema command this comes up:

    PS C:\Users\administrator.ICT> update-admpwdadschema
    update-admpwdadschema : An operation error occurred.
    At line:1 char:1
    + update-admpwdadschema
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema

    Ive ran as admin, checked user privileges and registered a dll, schmmgmt.dll, that a guy said might fix it.

    any ideas?

    0

  51. Hector Hernandez 8 months ago

    Kyle;

    Does the admin account has to be enabled for LAPS to update the password?

    0

  52. Santeno 7 months ago

    I have cases where password set to never expire. and the passwords not changed by LAPS. Can LAPS change the password while it is set to never expire? what is the solution if the password set to never expire? Thanks.

    0

  53. Omar Al-Dweik 7 months ago

    Hello,

    i have small issue with LAPS as below...

    Our local admin user have check mark (Password Never Expired) LAPS not able to change Password unless unchecked Password never expired

    Please Help ?

    0

  54. Thomas Scott 6 months ago

    Is anyone else having the problem as me. I have followed the guide and all commands completed without an error. But when I go into the properties of the OU I have set this on I can see that "SELF" has the following set to allowed:

    Read ms-Mcs-AdmPwd
    Write ms-Mcs-AdmPwd

    But the following set to deny:

    Read ms-Mcs-AdmPwdExpirationTime
    Write ms-Mcs-AdmPwdExpirationTime

    And the user (which is a domain admin) that I ran the Set-AdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission commands against has the following allowed:

    Read ms-Mcs-AdmPwdExpirationTime
    Write ms-Mcs-AdmPwdExpirationTime

    And the following denied:

    Read ms-Mcs-AdmPwd
    Write ms-Mcs-AdmPwd

    I have tried to re run the command which complete successfully and say they are delegated but the permissions don't change on the OU. I have also tried to manually update these permissions on the OU (for which I am the owner) but when I click apply the changes dont save.

    Very odd some help would be greatly appreciated.

    0

    • Thomas Scott 6 months ago

      Sorry when I say they are denied I mean they do not have a check in them, for either allowed or denied. They are just blank.

      0

  55. Dusty 5 months ago

    Note that LAPS does not provide a history of the administrator password.

    This will cause an issue when restoring a server to a time before the password stored in AD.

    Also, the restored server will not have a trust established with the domain.

    In this case, the only way to login is to use DaRT and reset the local admin password.

     

    1+

    • JamieT 5 months ago

      While I love LAPs there is some quirkiness to it. One major issue I have is once you remove from AD you have to make sure to reset the local admin password before restarting as you won't be able to look up the password. I am not sure if I overlooked something or not but it seems that once it is removed for AD you can not look up what the previous password was set to.

      0

  56. VM 5 months ago

    Are there any updates to this LAPS product. Planning to implement in Server 2012 forest environment but will that change when we upgrade to Server 2016.

    I dont see many upgrades / updates. How often does this product get upgraded

    V

    0

  57. Andy 4 months ago

    Ken,

    I will be getting with the admin who implemented LAPS tomorrow.

    We are joining new computers to the domain through WDS and MDT.

    The join happens before the administrator account logs in (which is handled by xml to designate the admin password for application installs/settings)

    So, will the PC be able login after the join and run the task sequences/install applications?

    And is this part of GPO applied before or when a domain user logs in?

    It there a way to delay the application of the random password for 12-24 hours?

    We keep the laptops/PCs locked up for at least 24 hours before deployment anyway, and MDT only takes about 1-2 hours depending on Windows updates/connection/application install times.

    Would be nice to be able to keep things automated after joining the domain.

    Any idea what would be the best solution here outside of manually joining the domain?

    Thanks

    Andy

    0

  58. Andy 4 months ago

    Sorry, meant Kyle

    0

  59. Hai Tran 4 months ago

    Hi Mr.Kyle,

    I had deployed LAPS since 2017 April. I worked perfectly.

    Recently, some couple weeks ago, LAPS didn't work properly. After investigated, I found that two attributes(ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime) didn't add on new computer which was joined in Domain. The old Computer has still worked normally.

    I think that It caused LAPS agent couldn't update password to Active Directory.

    Please help me on this case.

    Thanks,
    Hai Tran

    0

  60. Adit Amar 4 months ago

    Please tell us whether is there any centralized management for LAPS, where we can find no of PC joined, unjoined etc. Is there any interface/mangement like WSUS???

    0

  61. Adit Amar 4 months ago

    I mean to say No. of PC on which it has been installed and no of PCs on which it hasn't. Is there any centralized management or interface??

    0

  62. Adit Amar 4 months ago

    Also, Please tell me Port Nos on which LAPS work.

    0

  63. jomz 3 months ago

    I have duplicate OUs as there are different policies to be applied in the same department. How can i apply Set-AdmPwdComputerSelfPermission?

    0

  64. kovendhan J 3 months ago

    I want to set the same password for all domain joined computers. is that possible with LAPS?

    0

    • Jomz 3 months ago

      No. The MS LAPS is designed to use unique password in each computer.

      1+

  65. Jörgen Nilsson 3 months ago

    Hi,

    No you cannot set the same password, you can use a script and/or Group Policy to do it though.

    Regards,
    Jörgen

    0

  66. Jimmy 2 months ago

    Hello, are there any resources available for help using PowerShell to manually set the "ms-Mcs-AdmPwdExpirationTime" attribute?  The use case is that we have servers in a DMZ where there are no writable domain controllers.  I am having some difficulty figuring out how to update this  attribute because the type is Integer8, or "ADsLargeInteger" which is a COM object.  I have found code to create the LargeInteger object, but when I try to write this to AD it only says "unspecified error".

    0

  67. Manoj 2 months ago

    Hi All,

    is there any way to target all OU in one go to delegate the access to the computer "Set-AdmPwdComputerSelfPermission", does this command support if i run command against domain name.

    I want to enable LAPS across all OU,

    0

  68. Grant 1 month ago

    We clone a domain controller to create a development environment but I don't want to have the LAPS passwords contained in the development environment.

    Is there any way to remove the LAPS passwords from AD so they won't exist there? The password field is not directly editable as I have tried doing something like below but that has no effect.

    get-adobject -filter * -Properties ms-mcs-admpwd | where { $_."ms-mcs-admpwd" } | % { $_.'ms-mcs-admpwd' = '' }

    Using the reset-admpwdpassword cmdlet only has the effect of resetting the timestamp without affecting the stored password.

    Is there any other way to sanitize the development environment from a copy of AD?

    0

  69. kaushik Dey 1 month ago

    Hi,

    Can any one let me know what delegation I need to provide to a user so that he can set the password expiration time from LAPS console.

     

    0

  70. Angie 3 weeks ago

    Hi,

    Does anyone understand exactly what the following GPO setting means?  Do not allow password expiration time longer than required by policy?

    0

  71. Nilesh 3 weeks ago

    We have implemented the LAPS in our Organization. Some of the systems does gets Trust relationship errors and we need to remove them from AD and rejoin them. But, in this case we missed to take PWD and we now don't know how to deal with this issue. We are not able to login into Administrator  join the machine into domain.

    Does somebody face this issue? and how to deal with this?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account