This post explains how to verify whether LAPS is installed and working properly using configuration items and baselines in Configuration Manager. If LAPS cannot change the password, or if it is uninstalled, alerts will appear in the Configuration Manager console.
Avatar

The Local Administrator Password Solution (LAPS) is a Microsoft tool for managing local account passwords on Windows servers and clients. For more information please read our LAPS series.

When working with LAPS, it is important to know if it is actually working and really applies the password changes. Note that LAPS only logs failures to the local event log.

Things we need to monitor:

  • Installation of the LAPS client-side extension .MSI
  • Applying the Group Policy settings
  • Changing the local account's password within the timeframe configured

Creating a configuration item to check LAPS health

We start with creating a new configuration item in the Configuration Manager console and call it "LAPS Health." You also have to select the options highlighted below.

New configuration item

New configuration item

In the next dialog, we choose how to detect whether LAPS is in fact installed. Browse to the .MSI file and import the product code. (I only have x64 OSes in my environment. If your network has 32-bit Windows systems, you need one of the other two options. This is because the Windows Installer product code is not the same for the x86 and x64 clients.)

LAPS detection

LAPS detection

Now that we know the application is installed, we can add settings we want to evaluate. We will work with a registry check and a PowerShell script. First, we will evaluate existence of the registry keys that the Group Policy Object (GPO) wrote. In the dialog window, click New.

Checking if GPO settings are present

Checking if GPO settings are present

Give the setting a name, and then select Browse. You don't need to fill in any more information, as the tool will add it when you browse to a computer with the Group Policy applied.

LAPS Group Policy configuration item 1

LAPS Group Policy configuration item 1

Then you have to locate a machine where the registry setting is present and select the options as the screenshot below shows.

Locate the AdmPwdEnabled registry key

Locate the AdmPwdEnabled registry key

Now click OK. You will see this fills the previous dialog with the information needed.

This also creates the settings and the compliance rule for us. Click OK again, which brings you back to the dialog where you can create an additional rule.

LAPS password age configuration item 1

LAPS password age configuration item 1

To add the PowerShell script to evaluate the LAPS managed account name, we select New.

LAPS password age configuration item 2

LAPS password age configuration item 2

To check the state of the local administrator account, we use a PowerShell script with the security identifier (SID) of the local administrator account. We configure in the script how old the password can be in days before the system should flag it as non-compliant.

$Passwordage = 15
function Get-SWLocalPasswordLastSet {
    $acc = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True' And Sid like '%-500'" 
    $user = ([adsi]"WinNT://./$($acc.Name),user")
    $pwAge = $user.PasswordAge.Value
    return (Get-Date).AddSeconds(-$pwAge)
}
$strDate=get-SWLocalPasswordLastSet
$StrDays= (New-TimeSpan $StrDate $(Get-Date)).Days
Return ($StrDays -le $Passwordage)
LAPS password age configuration item 3

LAPS password age configuration item 3

If you target a different account, you can use the sample script below and replace "UberAdmin" with your managed account.

$Passwordage = 15
$accName = "UberAdmin"
If ($Pwage = ([adsi]"WinNT://./$accName").PasswordAge.value) {
    $strDate=(Get-Date).AddSeconds(-$pwAge)
    $StrDays= (New-TimeSpan $StrDate $(Get-Date)).Days
    return ($StrDays -le $Passwordage)
}
return $false

We then need to add a compliance rule to our configuration item. Select the Compliance Rules tab and click New.

LAPS password age configuration item 4

LAPS password age configuration item 4

Change the settings as displayed below to set the compliance to "critical" if the PowerShell script doesn't return "True."

LAPS password age configuration item 5

LAPS password age configuration item 5

Then you can click OK.

Now click Next twice, as we already have created our compliance rules. We then select the platforms where we want to run this. Here you could choose only 64-bit systems. In my example, I use the product code like in the beginning.

LAPS password age configuration item platforms

LAPS password age configuration item platforms

We now have to verify whether the client settings in Configuration Manager are configured correctly so we can execute the PowerShell script.

Configuring the PowerShell execution policy

To do this, we have to verify that the PowerShell execution policy in the Configuration Manager client agent settings is set to Bypass.

Configuring PowerShell execution policy

Configuring PowerShell execution policy

Creating and deploying the LAPS Health baseline

If you already have a baseline that you deploy to measure other things on your clients, you could just add the configuration item we created above to that baseline or create and deploy a new one.

Select Create Configuration Baseline in the Configuration Manager console, give it a name, and select Add > Configuration Items.

LAPS Health baseline 1

LAPS Health baseline 1

Then we add the configuration item we created earlier.

LAPS Health baseline 2

LAPS Health baseline 2

Then click OK twice, and you have created your baseline.

Now we need to deploy our configuration baseline to a collection. Here we configure the alert percentage threshold and the frequency for evaluating the baseline. Maybe the 90% threshold I used in my example is not high enough considering we are dealing with a security setting here. Mark the newly created configuration baseline in the admin console, and select Deploy. Next you have to choose a collection to which you want to deploy the configuration baseline.

Subscribe to 4sysops newsletter!

Deploying the baseline

Deploying the baseline

Now we can sit back and wait for the clients to start evaluating our configuration baseline and report back.

12 Comments
  1. Avatar
    Gokulnath 6 years ago

    Thanks man! Good job. I am looking this.. it’s interesting.

    avatar
  2. Avatar Author

    Glad to hear that! Making sure that the clients actually are configured as we want is and will be more and more important!

    Regards,
    Jörgen

  3. Avatar
    John Disco 6 years ago

    Another alternative is to use the discovery to pick up the last time the password was changed and create a report for anything that doesn’t adhere to the password change window.

  4. Avatar Author

    Hi, John

    That will work to, I wanted it in my “Workstaton Baseline” together with all the other checks I do like, Applocker configured and running, Credential Guard running, Bitlocker running. Then I can get alerts on any machine slipping from the security baseline settings…

    Regards,
    Jörgen

  5. Avatar
    DLH 6 years ago

    We are using LAPS. Great tool. Are there any issues with having the local admin password never expires box unchecked?

  6. Avatar
    Michael Welten 5 years ago

    Hello Jörgen,

    Did everything according to your Blog, but I keep beeing non-compliant :(.

    Password age:

    GPO: 30 days (all default)

    Script: 15 days (as per your script)

    Any idea ?

    Thank you,

    Michael

  7. Avatar
    michael welten 5 years ago

    Hello Jörgen,
    Did everything according to your Blog, but I keep beeing non-compliant :(.
    Password age:
    GPO: 30 days (all default)
    Script: 15 days (as per your script)
    Any idea ?
    Thank you,
    Michael

  8. Avatar
    michael welten 5 years ago

    Hi Jörgen,

    Now all good, nice and easy: warm thank you for this great tip.

    Was checking wrong version of the MSI… Noooooooooooooo !!!

    Sorry, sorry, sorry,

    Best regards,

    Michael

  9. Avatar
    boopathi 5 years ago

    Hi,

    1. Is there any report available to check whether LAPS working fine in the client workstations?
    2. Any method available to find the password not applied workstations by LAPS.                 Please update me.

     

  10. Avatar
    jon 5 years ago

    Great article…. I was trying to do LAPS expiry date and without PWD PS Module it was hard.. Your script helped

  11. Avatar
    Pluton 4 years ago

    Hello

     

    How to deal  with x32 and x64 package ? 

     

    Regards

  12. Avatar
    Mark Housler 3 years ago

    Will this return a "non-compliant" result if the application isn't installed at all?  If I wanted to make a compliance item to do that, would I just do the application detection and not make any rules?

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account