The Local Administrator Password Solution (LAPS) is a Microsoft tool for managing local account passwords on Windows servers and clients. For more information please read our LAPS series.
When working with LAPS, it is important to know if it is actually working and really applies the password changes. Note that LAPS only logs failures to the local event log.
Things we need to monitor:
- Installation of the LAPS client-side extension .MSI
- Applying the Group Policy settings
- Changing the local account's password within the timeframe configured
Creating a configuration item to check LAPS health ^
We start with creating a new configuration item in the Configuration Manager console and call it "LAPS Health." You also have to select the options highlighted below.
New configuration item
In the next dialog, we choose how to detect whether LAPS is in fact installed. Browse to the .MSI file and import the product code. (I only have x64 OSes in my environment. If your network has 32-bit Windows systems, you need one of the other two options. This is because the Windows Installer product code is not the same for the x86 and x64 clients.)
LAPS detection
Now that we know the application is installed, we can add settings we want to evaluate. We will work with a registry check and a PowerShell script. First, we will evaluate existence of the registry keys that the Group Policy Object (GPO) wrote. In the dialog window, click New.
Checking if GPO settings are present
Give the setting a name, and then select Browse. You don't need to fill in any more information, as the tool will add it when you browse to a computer with the Group Policy applied.
LAPS Group Policy configuration item 1
Then you have to locate a machine where the registry setting is present and select the options as the screenshot below shows.
Locate the AdmPwdEnabled registry key
Now click OK. You will see this fills the previous dialog with the information needed.
This also creates the settings and the compliance rule for us. Click OK again, which brings you back to the dialog where you can create an additional rule.
LAPS password age configuration item 1
To add the PowerShell script to evaluate the LAPS managed account name, we select New.
LAPS password age configuration item 2
To check the state of the local administrator account, we use a PowerShell script with the security identifier (SID) of the local administrator account. We configure in the script how old the password can be in days before the system should flag it as non-compliant.
$Passwordage = 15
function Get-SWLocalPasswordLastSet {
$acc = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True' And Sid like '%-500'"
$user = ([adsi]"WinNT://./$($acc.Name),user")
$pwAge = $user.PasswordAge.Value
return (Get-Date).AddSeconds(-$pwAge)
}
$strDate=get-SWLocalPasswordLastSet
$StrDays= (New-TimeSpan $StrDate $(Get-Date)).Days
Return ($StrDays -le $Passwordage)
LAPS password age configuration item 3
If you target a different account, you can use the sample script below and replace "UberAdmin" with your managed account.
$Passwordage = 15
$accName = "UberAdmin"
If ($Pwage = ([adsi]"WinNT://./$accName").PasswordAge.value) {
$strDate=(Get-Date).AddSeconds(-$pwAge)
$StrDays= (New-TimeSpan $StrDate $(Get-Date)).Days
return ($StrDays -le $Passwordage)
}
return $falseWe then need to add a compliance rule to our configuration item. Select the Compliance Rules tab and click New.
LAPS password age configuration item 4
Change the settings as displayed below to set the compliance to "critical" if the PowerShell script doesn't return "True."
LAPS password age configuration item 5
Then you can click OK.
Now click Next twice, as we already have created our compliance rules. We then select the platforms where we want to run this. Here you could choose only 64-bit systems. In my example, I use the product code like in the beginning.
LAPS password age configuration item platforms
We now have to verify whether the client settings in Configuration Manager are configured correctly so we can execute the PowerShell script.
Configuring the PowerShell execution policy ^
To do this, we have to verify that the PowerShell execution policy in the Configuration Manager client agent settings is set to Bypass.
Configuring PowerShell execution policy
Creating and deploying the LAPS Health baseline ^
If you already have a baseline that you deploy to measure other things on your clients, you could just add the configuration item we created above to that baseline or create and deploy a new one.
Select Create Configuration Baseline in the Configuration Manager console, give it a name, and select Add > Configuration Items.
LAPS Health baseline 1
Then we add the configuration item we created earlier.
LAPS Health baseline 2
Then click OK twice, and you have created your baseline.
Now we need to deploy our configuration baseline to a collection. Here we configure the alert percentage threshold and the frequency for evaluating the baseline. Maybe the 90% threshold I used in my example is not high enough considering we are dealing with a security setting here. Mark the newly created configuration baseline in the admin console, and select Deploy. Next you have to choose a collection to which you want to deploy the configuration baseline.
Subscribe to 4sysops newsletter!
Deploying the baseline
Now we can sit back and wait for the clients to start evaluating our configuration baseline and report back.
Thanks man! Good job. I am looking this.. it's interesting.
4 years ago
Glad to hear that! Making sure that the clients actually are configured as we want is and will be more and more important!
Regards,
Jörgen
Another alternative is to use the discovery to pick up the last time the password was changed and create a report for anything that doesn't adhere to the password change window.
4 years ago
Hi, John
That will work to, I wanted it in my "Workstaton Baseline" together with all the other checks I do like, Applocker configured and running, Credential Guard running, Bitlocker running. Then I can get alerts on any machine slipping from the security baseline settings...
Regards,
Jörgen
We are using LAPS. Great tool. Are there any issues with having the local admin password never expires box unchecked?
Hello Jörgen,
Did everything according to your Blog, but I keep beeing non-compliant :(.
Password age:
GPO: 30 days (all default)
Script: 15 days (as per your script)
Any idea ?
Thank you,
Michael
Hello Jörgen,
Did everything according to your Blog, but I keep beeing non-compliant :(.
Password age:
GPO: 30 days (all default)
Script: 15 days (as per your script)
Any idea ?
Thank you,
Michael
Hi Jörgen,
Now all good, nice and easy: warm thank you for this great tip.
Was checking wrong version of the MSI... Noooooooooooooo !!!
Sorry, sorry, sorry,
Best regards,
Michael
Hi,
Great article.... I was trying to do LAPS expiry date and without PWD PS Module it was hard.. Your script helped
Hello
How to deal with x32 and x64 package ?
Regards
Will this return a "non-compliant" result if the application isn't installed at all? If I wanted to make a compliance item to do that, would I just do the application detection and not make any rules?