- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Does the Microsoft Local Administrator Password Solution (LAPS) require an agent? I really don’t want to install yet another agent on my computers. (Special thanks to reader Mike for this question.)
No, LAPS does not require an agent. For LAPS to function on workstations and servers, a Group Policy Client Side Extension (CSE) will need to be installed. The Group Policy CSE is not an agent. Typically, an agent is a service that runs at system startup and continues to run in the background to provide telemetry or some other data back to a central system such as System Center Configuration Manager, Operations Manager, or an antivirus monitoring platform. The CSE only runs at Group Policy refresh cycles.
Local Administrator Password Solution Setup - Manual install of Group Policy CSE
Can I use LAPS without installing the Active Directory schema changes?
No, you cannot use LAPS without installing the AD schema changes. The schema update adds the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes that LAPS requires.
Does LAPS require an additional infrastructure such as additional application servers or SQL?
No. LAPS requires two additions to your AD schema. LAPS also requires that an additional Group Policy Client Side Extension (CSE) be installed on all of the managed computers. You will not need to run an additional application server or SQL server to use LAPS.
Is storing the Administrator password in AD in plain text secure?
The ms-Mcs-AdmPwd attribute in AD is a confidential attribute protected by an Access Control List (ACL). Only users with permissions to view this attribute can view the password (that is, Domain Admins and anyone else they’ve delegated access to). Keeping the same local Administrator password across large groups of systems is a much bigger security risk.
If the passwords are stored in AD, can’t anyone with AD access view them?
No, only users with adequate permissions can view the stored passwords. You can use the Find-AdmPwdExtendedRights PowerShell cmdlet to view which groups and users can view the stored passwords. You can use the Set-AdmPwdReadPasswordPermission PowerShell cmdlet to give groups and/or users access to view the passwords.
Find-AdmPwdExtendedRights output example
Can I require two-factor authentication (2FA) to view the passwords LAPS has stored in AD?
Access to the ms-Mcs-AdmPwd attribute is controlled with a user’s regular AD credentials. You would need to implement 2FA for all user logons that have access to that data in AD. You won’t be able to require 2FA for just accessing that attribute without implementing some kind of custom solution.
What happens if an admin’s account is compromised? Wouldn’t the compromised account have access to the stored passwords?
If a user with adequate rights to view the ms-Mcs-AdmPwd attribute is compromised, that account could be used to pull all of the local Administrator passwords from your domain (or subset of computers if the user account can only view Administrator passwords for specific OUs in the domain). Typically, this kind of account would already have had enough rights to reset the password remotely on any of those computers or wreak other havoc with the delegated privileged access.
The upside of having LAPS in place is that you can now force a password reset on all systems that could have a compromised Admin password and then see in AD if they’ve updated.
Can LAPS manage the password of the local Administrator account and a custom local administrator account with a different name at the same time?
You can manage either the default Administrator account (including if the account has been renamed) or a secondary local Administrator account that you’ve created, but not both.
What happens if the computer loses its connection/trust with Active Directory? Will LAPS change the local Administrator password on the computer, but fail to update it in AD? If this happens, I won’t know the local Administrator password. (Special thanks to reader Ken D. for this question.)
The password that is stored in AD is the computer’s current password—even if the password should have expired. In this situation, the computer’s Group Policy Client Side Extension (running in the Local SYSTEM context) would be unable to check the expiration date stored in AD. When that happens, the password change process would stop. You would need to re-establish the computer’s AD trust before the local Administrator password changes again.
Can LAPS manage the local Administrator passwords on non–domain-joined machines?
No. Computers must be domain-joined to be managed by LAPS.
Can LAPS change the stored password for a service if it is using the local Administrator account?
No. LAPS will only update the local Administrator password. It will not update the service to use the new password.
Aren’t there more elaborate solutions that can do more than just randomize the local Administrator password? What if I need to rotate passwords for service accounts or do something more advanced?
Microsoft LAPS is designed to randomize passwords of the local Administrator (or a custom Administrator account) for domain-joined systems without the need to implement additional infrastructure. This gives organizations a way to randomize those local passwords to prevent large numbers of computers from being vulnerable to Pass-the-Hash attacks or from being compromised if that password becomes known. Yes, much more elaborate solutions exist if you’re willing to pay for them and take the effort to implement additional infrastructure.
What if my question isn’t listed here?
Feel free to ask your question in the comments section below!
Want to write for 4sysops? We are looking for new authors.
I have set the audit for accounts, I have set the ExtensionDebugLevel to a 2 and I still dont see the entries on the event log. What else should I be looking at to make sure I get them?
Can you explain the setting “Do not allow password expiration time longer than required by policy” ?
Today we have set the password age to 30 Days. What will happen if that settings is enabled, and the computer is offline for 31 Days ?
If the computer is offline, then a password reset will not take place.
However, when the computer comes back online and checks for the password expiration, it will reset and update in Active Directory.
I have one PC that LAPS is not working. The software is loaded and the GPOs are being applied. When Iput the PC name in the LAPS UI it come back with a password, however, that password does not work. The password that DOES work is the original password that was set before LAPS was installed.
I have Six Number of Active Directory Installed on 6 location. All are in Write Mode. I am going to install LAPS on my Root Domain controller. what will happen if my root domain controller gets failed. My question is does Laps attribute will be replicated to all domain controller or it will reside only to Root domain controller. How can i retrieve users endpoints password if my root domain controller gets failed.
please help me on this?
Is this Solution automatically manages the .500 (local administrator) password on domain joined computers, because I have around 10,000 computer of domain joined computer so it will work on it or not plz tell me
Not sure if these questions has been answer;
Can LAPS be delay to the first Domain log on.
Can LAPS be delay to the first Domain log on
I need help on one item. In my company we are usig LAPS and very limited people have access to clear test passwords.
Is it possible to enforce 2FA only for those users so that access to clear text password can be secured.
Anyone experiencing issues with Windows 2019 servers not being able to update the password? I'm running a Windows 2016 DC domain.
Updated the Self access but still no updates.
If a user is provided with the local Admin password, can't they then simply add their own user to the local Admin group so their regular user ID is now a local Admin on the PC?
What happens if AD gets compromised and the domain is no longer available? Does LAPS provide an offline capability? The whole point of having local accounts is to have a back door when your domain is not available.
I am wanting to use LAPS at the company I work at, however I have been told very clearly that the team that manages clients should NOT be able to manage the servers from a LAPS perspective. They should ONLY be able to manage clients. What I'd prefer is:-
Team who manages clients = Only able to manage LAPS from a client perspective and not able to touch the servers.
Team who manages servers = Be able to manage both clients AND servers.
Is there a specific way to do this by creating like 2 security groups, one LAPS- Client Management & the other called LAPS – Servers & Client Management.
What exactly do you mean by "manage from LAPS perspective"?
If you read the full series, you will find out there is not so much you can configure with LAPS. You simply deploy it and then create a GPO that you link to wherever you like to apply specific password complexity rules. These can be different for your servers and computers. GPO can be managed by whoever has the permissions to do so.
If your question is "who can see LAPS password" then you can achieve so by Powershell commands Find-AdmPwdExtendedRights and Set-AdmPwdExtendedRights where you can define that members of client management group can only get passwords for Client OU and vice versa.
We are using LAPS to manage local admin password on workstations in AD environment. The local user administrator is changed in admin_local.
We face the following issue – if the computer is restarted in Safe Mode with NW (without AD connectivity), the username admin_local and LAPS password are not valid. Is it possible to have an old password stored locally?
How can we log on in safe mode with administrator credentials?
Hello. We use a tool ADAxes to configure the security on OUs. This tool uses powershell to modify rights and can use PowerShell cmdlets as needed. This tool exists in a different forest from the forest where the computers/OUs are located.
The AdmPwd,PS cmdlets to set security does not seem to function with the target in a different forest (there is a forest-level trust between the two).
Is there a work-around? For simplicity, we prefer to use the cmdlets to modify our 200 OUs rather than translate the security into pure PowerShell commands to modify ACLs.
Is there a way to display let's say a history of 5 previous passwords in the LAPS UI GUI. In a disaster recovery scenario, restoring machines off the network and needing access after a password change cycle has taken place, the current local password will not work.
The password is a single attribute. There is no history you could check.
The password change is initiated by the client computer, if there is no connection to AD, it cant check the expiration date and the change should stop.
The last resort option is to reset the local admin password with standard tricks like stickykeys etc.
Can the LAPS be configured to only 10 servers beneath OU which have more than 100 server in same OU?
Read this post here https://4sysops.com/archives/how-to-install-and-configure-microsoft-laps/
You need a GPO to apply the LAPS component to the servers. So if the GPO will only target your 10 machines, for example by security group filtering, you should be all good.
Alternatively you can create a sub OU for your LAPS servers.
How can I get the LAPS password if the machine was accidently deleted from active directory.
You can find password on computer object property, if computer object itself is deleted you cannot get the password. Alternatively if recycle bin is enabled on your AD then you can restore the object and get the password.
How can we roll back out LAPS changes
Can I reset a password to be a specific string instead of the randomized characters that LAPS normally pushes through?