This post explains how to verify whether LAPS is installed and working properly using configuration items and baselines in Configuration Manager. If LAPS cannot change the password, or if it is uninstalled, alerts will appear in the Configuration Manager console.

Jörgen Nilsson

Jörgen is a principal consultant at Onevinn in Sweden. His work focuses on enterprise client management and system management. He is a Microsoft Certified Trainer and a Microsoft Most Valuable Professional (MVP) in Enterprise Mobility. He also speaks at events such as Microsoft TechDays, Microsoft Management Summits, and TechEd.

The Local Administrator Password Solution (LAPS) is a Microsoft tool for managing local account passwords on Windows servers and clients. For more information please read our LAPS series.

When working with LAPS, it is important to know if it is actually working and really applies the password changes. Note that LAPS only logs failures to the local event log.

Things we need to monitor:

  • Installation of the LAPS client-side extension .MSI
  • Applying the Group Policy settings
  • Changing the local account's password within the timeframe configured

Creating a configuration item to check LAPS health ^

We start with creating a new configuration item in the Configuration Manager console and call it "LAPS Health." You also have to select the options highlighted below.

New configuration item

New configuration item

In the next dialog, we choose how to detect whether LAPS is in fact installed. Browse to the .MSI file and import the product code. (I only have x64 OSes in my environment. If your network has 32-bit Windows systems, you need one of the other two options. This is because the Windows Installer product code is not the same for the x86 and x64 clients.)

LAPS detection

LAPS detection

Now that we know the application is installed, we can add settings we want to evaluate. We will work with a registry check and a PowerShell script. First, we will evaluate existence of the registry keys that the Group Policy Object (GPO) wrote. In the dialog window, click New.

Checking if GPO settings are present

Checking if GPO settings are present

Give the setting a name, and then select Browse. You don't need to fill in any more information, as the tool will add it when you browse to a computer with the Group Policy applied.

LAPS Group Policy configuration item 1

LAPS Group Policy configuration item 1

Then you have to locate a machine where the registry setting is present and select the options as the screenshot below shows.

Locate the AdmPwdEnabled registry key

Locate the AdmPwdEnabled registry key

Now click OK. You will see this fills the previous dialog with the information needed.

This also creates the settings and the compliance rule for us. Click OK again, which brings you back to the dialog where you can create an additional rule.

LAPS password age configuration item 1

LAPS password age configuration item 1

To add the PowerShell script to evaluate the LAPS managed account name, we select New.

LAPS password age configuration item 2

LAPS password age configuration item 2

To check the state of the local administrator account, we use a PowerShell script with the security identifier (SID) of the local administrator account. We configure in the script how old the password can be in days before the system should flag it as non-compliant.

LAPS password age configuration item 3

LAPS password age configuration item 3

If you target a different account, you can use the sample script below and replace "UberAdmin" with your managed account.

We then need to add a compliance rule to our configuration item. Select the Compliance Rules tab and click New.

LAPS password age configuration item 4

LAPS password age configuration item 4

Change the settings as displayed below to set the compliance to "critical" if the PowerShell script doesn't return "True."

LAPS password age configuration item 5

LAPS password age configuration item 5

Then you can click OK.

Now click Next twice, as we already have created our compliance rules. We then select the platforms where we want to run this. Here you could choose only 64-bit systems. In my example, I use the product code like in the beginning.

LAPS password age configuration item platforms

LAPS password age configuration item platforms

We now have to verify whether the client settings in Configuration Manager are configured correctly so we can execute the PowerShell script.

Configuring the PowerShell execution policy ^

To do this, we have to verify that the PowerShell execution policy in the Configuration Manager client agent settings is set to Bypass.

Configuring PowerShell execution policy

Configuring PowerShell execution policy

Creating and deploying the LAPS Health baseline ^

If you already have a baseline that you deploy to measure other things on your clients, you could just add the configuration item we created above to that baseline or create and deploy a new one.

Select Create Configuration Baseline in the Configuration Manager console, give it a name, and select Add > Configuration Items.

LAPS Health baseline 1

LAPS Health baseline 1

Then we add the configuration item we created earlier.

LAPS Health baseline 2

LAPS Health baseline 2

Then click OK twice, and you have created your baseline.

Now we need to deploy our configuration baseline to a collection. Here we configure the alert percentage threshold and the frequency for evaluating the baseline. Maybe the 90% threshold I used in my example is not high enough considering we are dealing with a security setting here. Mark the newly created configuration baseline in the admin console, and select Deploy. Next you have to choose a collection to which you want to deploy the configuration baseline.

Deploying the baseline

Deploying the baseline

Now we can sit back and wait for the clients to start evaluating our configuration baseline and report back.

Win the monthly 4sysops member prize for IT pros

Share
3+

4 Comments
  1. Gokulnath 3 months ago

    Thanks man! Good job. I am looking this.. it's interesting.

    1+

    Users who have LIKED this comment:

    • avatar
  2. Author
    Jörgen Nilsson 3 months ago

    Glad to hear that! Making sure that the clients actually are configured as we want is and will be more and more important!

    Regards,
    Jörgen

    0

  3. John Disco 3 months ago

    Another alternative is to use the discovery to pick up the last time the password was changed and create a report for anything that doesn't adhere to the password change window.

    0

  4. Author
    Jörgen Nilsson 3 months ago

    Hi, John

    That will work to, I wanted it in my "Workstaton Baseline" together with all the other checks I do like, Applocker configured and running, Credential Guard running, Bitlocker running. Then I can get alerts on any machine slipping from the security baseline settings...

    Regards,
    Jörgen

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account