In the second installment of our Microsoft Local Administrator Password Solution (LAPS) FAQ, I’ll cover some additional questions that I’ve been asked about the solution. Microsoft LAPS is a free solution from Microsoft that allows you to automate the randomization of the local Administrator password on your workstations and servers to mitigate Pass-the-Hash attacks.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Is there a log on the client I can use to audit password changes or troubleshoot LAPS?

By default, no. In its default configuration, LAPS only logs errors. Errors (and other events if you bump up the logging level) are logged to the Application Event Log by the AdmPwd Source.

You can enable additional logging by creating a new REG_DWORD value named ExtensionDebugLevel in the Registry in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}\ . Set it to 0 (the default) to log errors only, 1 to log errors and warnings, and 2 for verbose logging.

Verbose logging of LAPS AdmPwd events in the Application Event Log
Verbose logging of LAPS AdmPwd events in the Application Event Log

Is there a log in Active Directory for LAPS?

Not by default, but it is possible to audit changes to the attributes if you enable auditing in Active Directory. Just be aware that changes are logged as Event ID 4662, which is going to inundate your DC Security Event Logs with superfluous information. Just enabling this in my lab was incredibly noisy. I wouldn’t turn on auditing unless you’ve got a plan for offloading the Event Logs or you’ve got a way to analyze them. Otherwise, you may want to look into third-party AD auditing tools.

Can I audit who accesses the passwords in AD?

Yes. To enable auditing, you’ll need to use the Set-AdmPwdAuditing PowerShell cmdlet:

Enable auditing of password access in Active Directory with Set-AdmPwdAuditing

Enable auditing of password access in Active Directory with Set-AdmPwdAuditing

If a user accesses the ms-Mcs-AdmPwd attribute in AD, Event 4662 will be logged in the Domain Controllers Security Event Log. The schemaIDGUID for the ms-Mcs-AdmPwd, xxxxx, will be logged as part of the event and can be used for searching for the event in your logs. (Please note that you’ll need to look up this GUID in ADSI Edit as it will be unique to your environment.)

Viewing Event 4662 generated by user accessing a LAPS password in AD

Viewing Event 4662 generated by user accessing a LAPS password in AD

I’m currently using Group Policy Preferences (insecure CPasswords) to change the passwords, and I need to migrate to LAPS. What do I need to do to stop the Group Policy Preference from overwriting the password that LAPS now manages?

If you’re transitioning from Group Policy Preferences to LAPS, you’ll need to remove the Preference that you’ve set for modifying the local Administrator account. To do this, open your Group Policy Object and go to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. Find the Administrator account, right-click it, and choose Delete.
Deleting the Group Policy Preference that uses the insecure CPassword

The date stored in the ms-Mcs-AdmPwdExpirationTime attribute is just numbers. How do I view the expiration date/time without the LAPS UI tool?

The expiration date that is stored in the ms-Mcs-AdmPwdExpirationTime attribute is stored in 100-nanosecond intervals that have elapsed since the 0 hour of January 1, 1601 GMT, until the expiration time. (I have no idea why it was engineered this way instead of just storing it as a date and time, but I’m sure there was a good reason.) You can convert it with w32tm.exe:

Convert the ms-Mcs-AdmPwdExpiration string to a date and time with w32tmConvert the ms-Mcs-AdmPwdExpirationTime string to a date and time with w32tm

You can also use the Get-AdmPwdPassword PowerShell cmdlet to view the expiration date:

View the password and password expiration with Get-AdmPwdPassword

View the password and password expiration with Get-AdmPwdPassword

How quickly after a password expires does the client change the local Administrator password?

The password that is stored in AD will be updated as soon as the next Group Policy refresh runs on the client system.

Can I specify the password that LAPS uses on the client?

No. LAPS randomizes the passwords to protect against Pass-the-Hash attacks. It also ensures that the local Administrator password is being changed regularly. Forcing a specified password to multiple clients would defeat one or more of these security protections.

Does LAPS detect if someone changes the local Administrator password?

Unfortunately, no. The LAPS Group Policy Client Side Extension only checks to see if the password expiration has passed. It doesn’t verify that the password stored in AD is the same as the current local Administrator password. If the computer is still joined to the domain, you can force a reset in the LAPS UI that will update the password in AD at the next Group Policy refresh.

Can LAPS re-apply the password that is stored in Active Directory if a user with local Admin rights changes it?

No. The LAPS Group Policy Client Side Extension only checks the expiration date that is stored in AD. If the expiration date has passed, it changes the local Administrator password and updates AD. It doesn’t check to see if the password has changed from what is stored in AD and therefore wouldn’t know if the password had changed.

How do I manage the local Administrator password with LAPS if a user with local Admin rights can change it?  

I’ve had a few people tell me that they have users who are given Administrator rights and either (1) change the password for the local Administrator password without permission from IT or (2) have a business need to change the password.

If an employee has Admin rights and is changing the password without permission, that would typically be handled as a policy through an HR process in most organizations where I’ve worked. The organization would have some form of a policy for users with Administrator rights outlining what the user is and isn’t allowed to do with Admin rights. If IT determined that the employee was violating policy, the HR process would take over to notify managers, council employees, etc. so that the violation would, I hope, stop.

Some organizations may not be as willing to deal with an issue through HR and would leave it up to IT to solve the problem. In this situation, the best solution would be to take Admin rights away from the user. But, that’s not always feasible. Option #2 in this case would be to apply a separate policy to this user’s computer that lowers the threshold for Administrator password changes to 1 day. Maybe this would deter the user. If not, it still ensures that the user’s custom password doesn’t stay that way for long.

If the user does have permission to change the password, you may want to consider using a secondary Admin account with a different name for the IT department. This allows the user to continue to manage the local Administrator while giving IT the “back door” to the system if necessary. Otherwise, you may need a third-party solution.

My Security/Information Security/CyberSecurity department is concerned that, if our AD database (NTDS.dit) gets stolen, the attacker will have access to all of the local Administrator passwords on our network stored in plain text. With that information, an attacker could easily take control of computers on our network.  How do I address that concern?

The NTDS.dit contains all of the data in Active Directory: computer names, user accounts, password hashes, etc.  If you implement LAPS, this file will also contain the plain text passwords for the local Administrator accounts for all of the computers and servers managed by LAPS.  Yes, an attacker would have access to all of your local Administrator passwords in plain text should NTDS.dit file be compromised.

The most damaging thing stored in the NTDS.dit file is the password hashes for all of your user accounts, including Domain Administrators and the krbtgt account.  If you had not implemented LAPS, the attacker would not have the passwords for your computers’ local Administrator accounts, but he would still have more than enough information to wreak havoc on your network.  Hashes do secure the password to some level, but a determined attacker can use tools to crack or brute force the hashes into plain text passwords.  Even if you have a password policy that requires longer passwords (that are harder to crack), the attacker can still use the hashes to perform Pass-the-Hash attacks across the network and compromise user accounts and computers.

An attacker that steals the NTDS.dit really doesn’t need your computers’ local Administrator account passwords.  Password hashes for Domain Administrators are far more valuable since they can be used to compromise accounts and computers en masse.

We have reason to believe that the local Administrator password on several machines has been compromised. How do we force all of these systems to update the local Admin password?  

You can use the Reset-AdmPwdPassword PowerShell cmdlet in conjunction with Get-ADComputer to reset the local Administrator password for all the computers in an OU:

Resetting the Administrator password on all the computers in an OU
Resetting the Administrator password on all the computers in an OU

The password for the local Administrator account has been changed and/or the password stored in Active Directory is wrong. How do I access the local Admin account on the computer?

There are two things you can do. Your first option is to force a reset of the password and then force a Group Policy refresh on the system. This assumes that you still have a logon that works on the system. If you can log in to the console, you should be able to run the Group Policy refresh.

If you can’t log in to the system, your other option is to use something like DaRT (Diagnostic and Recovery Toolkit) to boot the system to external media and reset the local Admin password with the included utility.

How can I dump the passwords for several computers at once?

You can use the Get-AdmPwdPassword PowerShell cmdlet in conjunction with Get-ADComputer to view the local Administrator password for all the computers in an OU:

View the passwords for all systems in an OU with Get-AdmPwdPassword

View the passwords for all systems in an OU with Get-AdmPwdPassword

I have a management requirement that the local Administrator passwords cannot be too complex. How do I implement LAPS?

First off, this is a pretty serious security concern. The local Administrator account should only be needed in extreme cases where the system can’t be accessed by an AD account where the AD trust has been broken, the system won’t get on the network, etc. In most cases, the Help Desk or workstation Admins shouldn’t be using local accounts on these computers. Additionally, the password can easily be written down or screenshotted if needed. Once the password has been used, force a reset. Your management needs to be made aware that this is a huge security risk for your network.

That being said, there are a couple of options. Option 1 is to use a third-party password management solution. A third-party solution is more likely to give you the granular password control your environment requires. Option 2 is to relax the Password Complexity that LAPS uses. You can configure LAPS to use the “Large letters” option so workstation admins would only need to use uppercase letters.

Win the monthly 4sysops member prize for IT pros

0
Share
32 Comments
  1. MingN 4 years ago

    Hi,

    I exported the \{D76B9641-3288-4f75-942D-087DE603E3EA} key and it comes with this values:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}]
    @="AdmPwd"
    "DllName"="C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll"
    "NoUserPolicy"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "ExtensionDebugLevel"=dword:00000002

    to push out the ExtensionDebugLevel key to all computers via SCCM, do I have to remove the these values?

    "DllName"="C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll"
    "NoUserPolicy"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicy"

    and left with only in the .reg file?

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}]
    @="AdmPwd"

    "ExtensionDebugLevel"=dword:00000002

     

    Cheers

    0

  2. MingN 4 years ago

    Hi,

    Following up the above, should LAPS use the C:\Windows or the C:\Windows\SysWOW64 regedit?

    This particular test computer is x64.

    However, when run regedit.exe from RUN, it is referring to regedit in C:\Windows instead of the \sysWow64.

    Cheers

    0

    • Author
      Kyle Beckman 4 years ago

      Unless you've got a good reason to use the one in SysWOW64, I'm fairly certain you should be using the one in C:\Windows.

      0

  3. mingN 4 years ago

    The LAPS password Age is set to 30 days.

    However, when check the password expiration date using LAPS UI or ADUC or Powershell - the password expires/ExpirationTimestamp is showing the last time the Local Administration password was changed.

    Should the Password expires/Expirationtimestamp show the date/time of Local Administrator Password that had expired (and had been changed) or should it be showing the Next date/time that the password is going to be changed?

    Thanks

     

    0

    • Author
      Kyle Beckman 4 years ago

      Yes... it's a bit confusing... The expiration date tells the client when it should update its password. If that date has passed, the client will update the local Administrator password. The date is only used by the client to determine if it needs to change the local password. If that date has passed, the client hasn't checked in with AD to update its password and the password shown in AD is still the password in use on the box.

      0

  4. Ming 4 years ago

    Before configure AD permission on the Parents-OU, which contains many sub-OU such as the Users account, Contacts, Groups OUs, as well as Computer OU (which contains all computers).

    By setting AD permission for 1. adding machine rights, and 2, granting read/force admin rights on the Parent-OU level, will it bring any impact to the Users, Groups, contacts objects? Will granting this rights affect the user, group, contact objects in anyway?

    Thanks

    0

    • Author
      Kyle Beckman 4 years ago

      Not that I'm aware of, but I would still encourage you to test it in a non-production environment to make sure that the permission changes work for you in your setup.

      0

  5. Ming 4 years ago

    Following up above question, there are also user mailboxes in the sub-OU. By applying 1. adding machine rights, and 2, granting read/force admin rights on the Parent-OU --- what impact to these other objects?

    Noticed that in user / mailbox object, group object etc -- the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attribute permission are inherited from the parents. (has the read & write check box ticked).

    Is this a concern?

    OR do we meant to apply 1. machine rights and 2. admin rights on the computer sub-OU only?

    The OU structure are as below and there are more than 10 Departments (with their own sub-OUs)  under the Parent OU.

    -Business (Parent OU)

    -- Department (Sub OU)

    --- Computer OU

    --- User OU -- with mailboxes

    --- Group OU

    ---Contact OU

     

    Cheers

    0

    • Author
      Kyle Beckman 4 years ago

      I'm not understanding why you want to apply the permissions to the top-level OU. Why not just apply it to the Computer OU? That's what you really should be doing.

      1+

      • Jay 9 months ago

        I have a question regarding this.  I have a top level Domain Computers that LAPS is setup on.  Now I'd like to have some sub ous for different businesses we own that exist on the domain and organize their computers there.  Will LAPS push down through these sub ous without my intervention or do I need to do something?

        0

  6. krishnakar 3 years ago

    How do I come to know the information about the user, who accesses the password attribute, along with computer/workstation name, for which the user tries?

    0

    • Author
      Kyle Beckman 3 years ago

      That's addressed in the question, "Can I audit who accesses the passwords in AD?" in this article.

      0

      • Krishnakar 3 years ago

        Thanks for the reply, I tried that but I could see the huge no of 4662 Events which are triggered for other "Object Types" and "Object Access" as well. Here my main concern is whoever try to access the LAPS password attribute, that should only be triggered with User and Computer info. Please share the screen shots if possible.

         

        0

        • Author
          Kyle Beckman 3 years ago

          You're just going to have to search them... As I originally wrote in the article, "changes are logged as Event ID 4662, which is going to inundate your DC Security Event Logs with superfluous information."

          0

  7. Devin Keenan 3 years ago

    We are looking at implementing LAPS in our environment, but we want to manage a different account on Servers and Workstations.  Can this be done?  Would it simply be a separate GPO linked to the Member Servers OU and one linked to the Workstation OU?

    0

  8. NesGold 3 years ago

    From understanding, the AD permission (SELF rights, Admin rights) should only be configured on the OU that contains computers.

    However, is it OK to has the LAPS group policy sitting on the parent's OU and inherited down to all sub-OUs?

    > Parents OU

    >> Computers OU

    >> Users  OU

    >> Groups OU

    Will the LAP GPO has any impact on Users/Groups objects?

    thank you

    0

  9. Shyam 3 years ago

    We have 15 days password expiration policy If a computer is outside of the network   For a 1 month . And no connectivity of dc

    Now user call me from remote location he wants local admin password.

    Then what password would be

     

    the same that was whem system was connected to domain

    or it has changed the pass after 15 days

    0

  10. Wijnand 3 years ago

    Kyle,

    I have a question about a backup / snapshot scenario together with the use of  LAPS. For example, two days before password expiration date I take a snapshot of a server configured with LAPS. Two days later, the machine sets a new password. 1 day later I need to set the state of the machine back with the snapshot taken earlier. The machine has the old password, AD has the new one. How can I logon to this machine as local admin?

    0

  11. Drew Barnes 3 years ago

    As a follow-up, for mixed environments, there is a project on Github to bring this functionality to Macs: https://github.com/joshua-d-miller/macOSLAPS

    0

  12. Muhannad 3 years ago

    Hi

    The last week I confgruation Tools LAPS , Before I finish I do enable local administrator .

    Now I can't access the server , because show me incorrect username or password ( the Domain User )

    abd I don't know what username and password for local user

    ( Administrator)

    can me help please ?

    0

  13. Simon Sinclair 3 years ago

    Good morning. Excellent article. Is there a way that once an administrator password has been used LAPS will automatically change it, so the same password cannot be used again in quick succession?

    0

  14. Ren 3 years ago

    Hello Kyle,

    I have LAPS setup in our environment. We have a custom Admin. Built-in local admin is disabled and part of our Image.

    LAPS CSE is installed on a client machine. GPO applied and password shows in ADUC.

    After a couple of days figuring out, I found out that the built-in local administrator (which is currently disable - Named "Administrator") is getting the password. Because, when i enable the built-in local admin and uses the randon password that LAPS generated in ADUC, it allows me to login with that password.

    Please note: i specify the local admin account username in GPO.

    Please Help!

    0

  15. Mike 2 years ago

    Hello Kyle,

    Great series!  I do have a question though.

    What is a secure configuration in the situation where there are multiple domain controllers for a single domain?  Is it best only on a single domain controller, all domain controllers or something else?

    Thank you.

    Best regards,

    Mike

    0

  16. Sharan 2 years ago

    HI

    I am doing some experiment on MS LAPS on my test DCs, I have confusion BTW 2 different DCs, can someone help me on this? Below are the details.

    I have created 2 different DCs in my LAB, one is ABC.local & XYZ.local and both the DC’s has one-way trust.

    1) I have installed LAPS on the ABC.local domain and configured the GPO as well, No 5 client machines are a member of this domain and all are configured and working well.

    2) I have configured In the same way XYZ.local domain also, in the DC also 5 machines added.

    When I run the command “Get-AdmPwdPassword -ComputerName” on “ABC.local” DC to get the administrator password of client machine I can able to get it. And when I run the same command on the same ABD.local DC to get the password of other domain “XYZ.local” domain machines, i am not getting.

    What would be the problem?

    Sorry if there any typo.

    0

  17. KrasseChecker 2 years ago

    You wrote that you do not know, why time information for the attribute "ms-Mcs-AdmPwdExpirationTime" is stored in so called "System Time". The reason why all Active Directory time information are stored that way is, because it is more accurate than date/time, since it has capability to save time more precisly. Within this information there are seven digits after the comma of every second and if you use Kerberos like AD, precise time is a must for security reason.

    0

  18. DB 1 year ago

    This is a great FAQ.  One issue we have with LAPS is that if a laptop is exclusively on our WiFi, the ms-Mcs-AdmPwd attribute does not get populated and as a result the password never gets managed.  Run gpresult /r and the LAPS GPO says applied.  Once we connect the laptop on Ethernet, it all begins working.  Our WiFi is MSChap PEAP.  Any thoughts?  Thanks!

    0

  19. Zman 1 year ago

    We are a small division of a larger company that controls the AD infrastructure. If LAPS is enabled, do we need "Domain Admin" permissions to be able to use/manage our OU? Can this be delegated?

    Thanks

     

    0

  20. edward wilhelm 8 months ago

    Does LAPs affect the GINA at all? I don't believe so but we utilize ManageEngine's ADSelfService and I brought up LAPS to my boss about securing our local admin passwords. He asked if it touches/affects the GINA at all since that would interfere with ManageEngine's stuff.

    From other research, and what I read from your FAQ, it does not appear it bothers with GINA as the password is changed locally by the group policy client side extension only if AD says the password expires. Is this correct? I just wanted to double check.

    0

  21. Kev 5 months ago

    My question pertains to password confusion (ambiguity) rather than password complexity.  Is there any way to block or prohibit specific characters from being used by the random password generator?  Because it is so easy to misread certain characters in certain fonts, I'd like to ensure that lower case "L" (l) not be used since it so easily confused with the digit 1.  Similarly, I would remove upper case "O" so as to not be confused with the digit 0.  Lower case "I" (i) would be another character I'd like to eliminate.  So...can specific [selected] characters/numbers be barred from use by the random password generator?  Thanks for your thoughtful reply.  🙂

    1+

  22. Cris 4 months ago

    hi

    I try to install laps in my server, but I have a problem 

     

    first I, import-Module Admpwd.Ps

    Second, when i do the next: Give permissions 

     

    Set-AdmPwdComputerSelfPermission : A positional parameter cannot be found that accepts argument 
    At line:1 char:1
    + Set-AdmPwdComputerSelfPermission -OrgUnit Servidores 
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Set-AdmPwdComputerSelfPermission], ParameterBindingException
        + FullyQualifiedErrorId : PositionalParameterNotFound,AdmPwd.PS.DelegateComputerSelfPermission

    0

  23. Syed Atif Masroor 4 months ago

    What if LAPS server goes down? Whats the impact?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account