- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Does the Microsoft Local Administrator Password Solution (LAPS) require an agent? I really don’t want to install yet another agent on my computers. (Special thanks to reader Mike for this question.)
No, LAPS does not require an agent. For LAPS to function on workstations and servers, a Group Policy Client Side Extension (CSE) will need to be installed. The Group Policy CSE is not an agent. Typically, an agent is a service that runs at system startup and continues to run in the background to provide telemetry or some other data back to a central system such as System Center Configuration Manager, Operations Manager, or an antivirus monitoring platform. The CSE only runs at Group Policy refresh cycles.
Local Administrator Password Solution Setup - Manual install of Group Policy CSE
Can I use LAPS without installing the Active Directory schema changes?
No, you cannot use LAPS without installing the AD schema changes. The schema update adds the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes that LAPS requires.
Does LAPS require an additional infrastructure such as additional application servers or SQL?
No. LAPS requires two additions to your AD schema. LAPS also requires that an additional Group Policy Client Side Extension (CSE) be installed on all of the managed computers. You will not need to run an additional application server or SQL server to use LAPS.
Is storing the Administrator password in AD in plain text secure?
The ms-Mcs-AdmPwd attribute in AD is a confidential attribute protected by an Access Control List (ACL). Only users with permissions to view this attribute can view the password (that is, Domain Admins and anyone else they’ve delegated access to). Keeping the same local Administrator password across large groups of systems is a much bigger security risk.
If the passwords are stored in AD, can’t anyone with AD access view them?
No, only users with adequate permissions can view the stored passwords. You can use the Find-AdmPwdExtendedRights PowerShell cmdlet to view which groups and users can view the stored passwords. You can use the Set-AdmPwdReadPasswordPermission PowerShell cmdlet to give groups and/or users access to view the passwords.
Find-AdmPwdExtendedRights output example
Can I require two-factor authentication (2FA) to view the passwords LAPS has stored in AD?
Access to the ms-Mcs-AdmPwd attribute is controlled with a user’s regular AD credentials. You would need to implement 2FA for all user logons that have access to that data in AD. You won’t be able to require 2FA for just accessing that attribute without implementing some kind of custom solution.
What happens if an admin’s account is compromised? Wouldn’t the compromised account have access to the stored passwords?
If a user with adequate rights to view the ms-Mcs-AdmPwd attribute is compromised, that account could be used to pull all of the local Administrator passwords from your domain (or subset of computers if the user account can only view Administrator passwords for specific OUs in the domain). Typically, this kind of account would already have had enough rights to reset the password remotely on any of those computers or wreak other havoc with the delegated privileged access.
The upside of having LAPS in place is that you can now force a password reset on all systems that could have a compromised Admin password and then see in AD if they’ve updated.
Can LAPS manage the password of the local Administrator account and a custom local administrator account with a different name at the same time?
You can manage either the default Administrator account (including if the account has been renamed) or a secondary local Administrator account that you’ve created, but not both.
What happens if the computer loses its connection/trust with Active Directory? Will LAPS change the local Administrator password on the computer, but fail to update it in AD? If this happens, I won’t know the local Administrator password. (Special thanks to reader Ken D. for this question.)
The password that is stored in AD is the computer’s current password—even if the password should have expired. In this situation, the computer’s Group Policy Client Side Extension (running in the Local SYSTEM context) would be unable to check the expiration date stored in AD. When that happens, the password change process would stop. You would need to re-establish the computer’s AD trust before the local Administrator password changes again.
Can LAPS manage the local Administrator passwords on non–domain-joined machines?
No. Computers must be domain-joined to be managed by LAPS.
Can LAPS change the stored password for a service if it is using the local Administrator account?
No. LAPS will only update the local Administrator password. It will not update the service to use the new password.
Aren’t there more elaborate solutions that can do more than just randomize the local Administrator password? What if I need to rotate passwords for service accounts or do something more advanced?
Microsoft LAPS is designed to randomize passwords of the local Administrator (or a custom Administrator account) for domain-joined systems without the need to implement additional infrastructure. This gives organizations a way to randomize those local passwords to prevent large numbers of computers from being vulnerable to Pass-the-Hash attacks or from being compromised if that password becomes known. Yes, much more elaborate solutions exist if you’re willing to pay for them and take the effort to implement additional infrastructure.
What if my question isn’t listed here?
Feel free to ask your question in the comments section below!
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Hi,
We are using SCCM to deploy LAPS CSE to managed computers. Is it possible to push along in the same package of LAPS CSE deployment the creation of the new ExtensionDebugLevel REG_DWORD to enable additional logging?
I am aware that the {D76B9641-3288-4f75-942D-087DE603E3EA} will only exist after the LAPS CSE has been installed on computers.
How can I achieve that via SCCM?
Cheers
Unfortunately, I don’t use SCCM enough to know how to do that. You can create any Registry entry you want… you don’t have to depend on the CSE to be installed for it to be on the system. If these are domain-joined systems, I’d probably use Group Policy Preferences. If you want to use SCCM, create a secondary package that runs a script to add the Registry entries and make it dependent on the LAPS CSE install.
You can create a batch file and deploy it using the reg add command with the correct details after the laps client has been installed
In an environment where there will be many management computer (each service desk personnel), then there is no need to install the GPO Editor templates option, is this correct?
From my understanding GPO editor template tool only need to be installed once (on a management computer, not DC) to get the LAPs administration template files to be used in (copy-to) central store GPO.
Other management computers only need to have FAT client UI & Powershell module installed. correct?
Thanks
Correct… you only need the Group Policy ADMX files on computers that will edit the policy for LAPS. If your service desk personnel are going to need to view passwords and force updates/resets, yes… they’ll need the client UI and PowerShell module installed.
Problem with LAPS I hope you can clarify. The company I work has recently implemented LAPS. However I think there may have been unforeseen issues that weren’t planned for. We have a policy that if a pc hasn’t communicated to a domain Control for 2 months it is scavenged and drops off the Domain. We have users that work from home via VPN and for some reason they sometimes fall off the Domain. I have found that if a PC falls of the domain we are unable to log in as Local Admin with LAPS and are left with no choice but to re-image. I am not a system/domain admin but a desktop support tech who has to tell the user we can’s recover their data. So wanted to know if there is a solutions to resolve this situation.
My initial thought is that these PC’s may not be communicating with Active Directory like they should be. I’d start there and make sure that they’re communicating like they’re supposed to be. 2 months seems really low to me… I work in Higher Ed and it is very normal for a computer to go longer than 2 months without connecting back in to campus. Your organization may want to ensure that the Active Directory Recycle Bin is enabled and the tombstoneLifetime is set to something longer than 60 days so you can recover those objects. It would be much easier than using something like DaRT to reset the password and then re-adding them to AD.
Thomas – we have the same issue. Without restating, how does one recover a LAPS generated password or reset one on a client computer with a trust issue that no longer exists in AD anymore?
We currently blank passwords on Win 7 boxes with old school 3 party disks and hack our way into Win 10 clients as well. I saw your comment about DaRT and MDOP with Software Assurance, is this the way that MS wants us to manage the issue?
If you’ve got computers that are losing their trust with AD, you’ve got a bigger issue you need to solve. You shouldn’t be needed to do an offline edit regularly to get back into the boxes. Have you investigated why you’ve got boxes losing their trust with AD? In 10 years, I can think of maybe two times it happened to me in my old environment.
I am doing some testing.
What about using LAPS for the DSRM password?
It seems to work so far.
Personally, I wouldn’t use it for that.
We have push out LAPS to most computers and majority of them seem to be good.
However, there are some computers out there that also have the GPO CSE installed and received the LAPS gpo with the relevant SELF permission set (same OU as the rest that are working), but they the two ms-Mcs-AdmPwd & ms-Mcs-AdmPwdExpiration are not showing in the computer object (in attributes editor).
What could be the issue?
thanks
To add more info on my above question –
After few reboot, the ms-Mcs-AdmPwdExpiration is now showing up in attributes editor of the computer object.
However, ms-Mcs-AdmPwd still missing.
Force a password change via LAPS UI. it said Password reset request was successful.
the ms-Mcs-AdmPwd still missing.
note: The Local Administrator Account password of this VM has been manually changed before LAPS was implemented.
Please shed some lights.
I implemented solution and the application can set/reset password for only machine, where I have installed both fat client and CSE both, but not working for other machine, on which I have installed only CSE, saying ms-Mcs-AdmPwd <not set>
I am currently running test on LAPS for the company i work for… Is there a way to rename and enable/ disable the Admin accounts from LAPS group policy? Like I said We are testing the software and DO NOT want to mess with the local group policies just the LAPS GP
I’m not sure I totally understand what you’re trying to do. When I originally tested LAPS, I created a new sub-OU with the computers I was testing with. I linked the LAPS GPO there and it only impacted those test computers. It still allowed them to get all the policy they would normally get.
Hi,
I’m in a corporate environment and we want to tesl LASP but all our PC have the built-in Administrator account disabled and every PC has local administrator account, with a different name for every PC.
Is this somehow supported? Does LAPS recognize an account with administrative privilege with different name for every PC? And what about if a PC has two local administrative account ?
Regards.
Red.
Obfuscating the local Administrator account isn’t really security. Enumerating that username is fairly trivial. You’ll need to switch to the standard local Administrator account or start using a single custom username to use LAPS.
Hi,
i have tested the LAPS in our testdomain. It is work perfect. Also change the password works correct. (After gpudate) but for machine behind a RODC i become a error “Could not get computer object from AD:Error 0x80070051” I have also set the FAS for RODC to replicate the attribute for ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime
Regards
Brent
I haven’t tested with a RODC, but LAPS is going to have to write data back to a DC. If it can’t do that, it can’t update the stored password.
Is there anyway to use powershell to run through all computers to see which, if any, LAPS ms-Mcs-AdmPwd didn’t get put in as it should have through a GPO?
Do you mean to see if the local computer has a different password than LAPS?
I am having trouble finding an answer to this, as I am just starting the venture into using this application. Does the admin GUI need to run off of a DC? Or can I just use domain admin credentials somewhere to use the GUI on a domain workstation?
@Randy Smith
Had this same question. Short answer is No. LAPS doesn’t need to be installed on a DC.
You will need to install the FAT client and GP extensions on a computer. Then you will want to copy over the .admx and .adml group policy extensions into the correct sysvol and sysvol\en-us folders on your central share from whichever PC you do install it upon.
https://social.technet.microsoft.com/Forums/office/en-US/bcfe5009-e416-47da-bdfb-d2f1fafd552a/laps-options-missing-from-gpm-editor?forum=winserverGP
Otherwise you won’t be able to configure the GPO.
hi, sorry , a bit late to the party but I’ve a follow up question to this. The install of the management software seems pretty redundant once in, is that correct? By this i mean, if the server that the management software was installed on suddenly died or we were in DR scenario where Site A with the management server was located, there would be no impact on being able to retrieve/set passwords?
And all we would have to do was install the management software on another server if we wanted to make any changes to the GP template?
I’m in the process of installing LAPS at the organization that I work for. I have two questions…
1. If you have a secondary custom local admin account, can you deploy a second GPO for LAPS to manage that?
2. For PCs that are being managed, can the local admin account become locked when the LAPS generated password is entered incorrectly multiple times? What are the steps to recover from this, if so?
No. You can use local Administrator or a custom account, not both.
It would depend on the policy you’ve set on the machine. Recovery would be the same for any locked out account.
We are using LAPS for some time in our environment. We also have a lot of virtual servers and using snapshots from time to time for updating applications. I already faced a problem that the password was changed after the snapshot and that the password for the computer also changed. We wanted to go back to the snapshot. The result was a server that you can’t logon anymore, because the computeraccount had a newer password (no trust anymore) and the local password was also newer. Is there a way to get the old local password?
Unless you’re using a third-party application or writing something in PowerShell to regularly dump the passwords, nope.
What if the userer changes the local admin password himself?
Is the password mirrored to AD or is the password overwritten from the one set in AD?
Thank you!
Nope. If a user with local Admin rights on the computer changes the password, you no longer know the local Administrator password on the system.
After installing the LAPs, I got this problem. please help me to fix this problem…..Thanks
User Name
Administrator
Client IP Address
10.100.1.31
Client Host Name
10.100.1.31
Domain Controller
DOMAIN.john.com
Logon Time
Nov 18,2016 02:15:29 PM
Event Type
Failure
Failure Reason
Bad password
Domain
krbtgt/john.com
Remarks
Kerberos pre-authentication failed.
Logon Service
krbtgt/john.com
SID
%{S-1-5-21-2415345328-180167431-1577633172-500}
Event Number
4771
Event Code
16
This isn’t terribly useful without context. Is this on the client or the server? What other steps have you performed?
Hi,
I have configured LAPS in my environment. After the configuration, LAPS UI is now showing the password
Everything is properly configured
kyle or anyone?
what happens if the DC is down how can you read the passwords?
DC? Singular? You can’t read the passwords if the DC is down. Why do you only have one DC?
Hello, i’m not sure if anyone encountered same issue am having. I’ve setup LAPS to our domain. Everything looks fine. I see the attribute with the password and security is also setup and delegated. However, if i use the password stored in attribute, the password does not seem to work. Please advise.
Hi Ren,
Have you tried setting a new expiration time through LAPS UI? Choosing a date in the past then restarting the client will force a new password to be set.
I have noticed that a newly imaged machine (without removing the object from AD) will show the old password in LAPS but it won’t work until I set a new one.
Hello Andre,
I appreciate your response. I’ve tried setting a new expiration choosing the date in the past, waited half day and run gpupdate, restarted the machine, checked to make sure gpo is applied but still the password in ADUC does not work. I’ve tried setting a new expiration and this time the date in the future but same thing.
Please advise.
Ren
Ren,
Strange… When you set the expiration to a date in the past, after restarting the client, did the password in ADUC/LAPS UI change? When you look at your group policy scope and filtering is the computer object subject to your LAPS policy?
If you have another administrator account you can log in with you could open an elevated command prompt and run “gpresults /r”. Verify under the Computer Settings > Applied Group Policy Objects section that you see your LAPS policy.
It may be the case that the computer object is not in the correct OU or group.
I agree, very strange. I searched everywhere if i missed something and i even reconfigured it again but same thing.
-Yes the password shows in ADUC.
-Yes the password changed after i set the expiration to past.
-Yes the policy is applied after running gpresult /r.
-Under security filtering, computer is added and made sure the “apply group policy” is checked on.
-I enforced LAPS GPO.
-LAPS is installed on the machine.
Ren,
Hmm, it seems like you’re doing everything correctly.
It may sound dumb but are you typing in the admin password? I prefer to use Remote Desktop, then copy/paste the password, as I find it difficult to distinguish between some of the characters.
And the account you’re trying to log into is the built in local administrator (assuming you didn’t point LAPS at a different account) using “.\administrator” to prevent it from trying to use a domain account.
Other than that I’m running out of ideas for you to try, sorry.
Yes im typing the password and i did try copy and paste
We are not using the builtin local admin. Could that be the issue? I see documents that you specify the local admin name on laps gpo and it should work.
No worries. I appreciate your time.
Sounds like that is your problem. If you’re not using the local Administrator account, you have to specify the username of the account in the GPO.
Hello Kyle, i did specify the the username of our local admin account but that didn’t help.
Please Help!
When i issued the command “Set-AdmPwdComputerSelfPermission -OrgUnit <OU where the Client Machines are Stored>”
I get below Error….
PS C:\windows\system32> Set-AdmPwdComputerSelfPermission -OrgUnit “OU=Computers,OU=Managed,DC=domain,DC=ca”
Set-AdmPwdComputerSelfPermission : The object does not exist.
At line:1 char:1
+ Set-AdmPwdComputerSelfPermission -OrgUnit “OU=Computers,OU=Managed,DC=domain, …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-AdmPwdComputerSelfPermission], DirectoryOperationException
+ FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.DelegateCom
rSelfPermission
The error is right there: “The object does not exist.” Does that OU actually exist or is that actually a folder in your AD?
Hello im having an issue extending the schema, when i do the update-Admpwdadschema command this comes up:
PS C:\Users\administrator.ICT> update-admpwdadschema
update-admpwdadschema : An operation error occurred.
At line:1 char:1
+ update-admpwdadschema
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
+ FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema
Ive ran as admin, checked user privileges and registered a dll, schmmgmt.dll, that a guy said might fix it.
any ideas?