Microsoft LAPS is a solution for centrally managing passwords for local administrator accounts in an Active Directory domain. It includes a native Windows GUI to retrieve LAPS-controlled passwords. However, the free LAPS WebUI allows you to access passwords from every browser without installing local software.
Avatar

Why LAPS is important

Admins commonly use the same local administrator password across Windows machines, which makes these accounts easy targets for an attacker. Microsoft LAPS automates configuring and rotating local administrator passwords, helping strengthen password security.

Built-in LAPS UI requires an admin workstation

The Microsoft LAPS solution has a built-in UI for retrieving local administrator accounts managed with LAPS. However, it is an installed application that requires an admin workstation. When you launch the LAPS installer, it allows you to install the management tools, including the fat client UI.

Installing the management utilities including the client

Installing the management utilities including the client

Once the LAPS UI is installed, you can query a specific workstation to view the current LAPS-controlled password.

The built in LAPS user interface for retrieving LAPS passwords

The built in LAPS user interface for retrieving LAPS passwords

LAPS WebUI

LAPS WebUI is an open source project that enables viewing LAPS passwords from a web interface. It can easily be provisioned using a Docker container.

Prerequisites

There are a few prerequisites for LAPS WebUI, including the following:

  • Active Directory with Microsoft LAPS installed
  • An operating system supporting .NET Core 6.0 (Ubuntu/Debian/CentOS/Alpine Linux/Windows/macOS) or a Docker host

Installing LAPS WebUI using Docker

The Docker host installation method is the easiest way to install LAPS WebUI quickly. You can configure and run the LAPS UI with a simple Docker run command. You will need to have the address of an Active Directory domain controller and use either LDAP port 389 for non-secure or 636 for SSL. If using the secure port 636, you will set UseSSL=true.

If you need to adjust the external port (on the left) if this conflicts with another container, you can configure any free port you want to use. Make sure you leave the internal port 8080 (on the right side).

docker run -d \
  --name=lapswebui \
  -e LDAP__Server=dctest1.neptune.local \
  -e LDAP__Port=389 \
  -e LDAP__UseSSL=false \
  -e LDAP__SearchBase=DC=neptune,DC=local \
  -p 8080:8080 \
  --restart unless-stopped \
  ghcr.io/seji64/laps-webui:1.4.1
Pulling the LAPS WebUI Docker container

Pulling the LAPS WebUI Docker container

After pulling the container, you can verify that it is running correctly using the docker ps command.

Verifying the Docker container for LAPS WebUI

Verifying the Docker container for LAPS WebUI

If you don't want to use a Docker container, you can perform a bare-metal setup on Linux, Windows, or macOS. Download the latest installation here.

LAPS WebUI interface

After you have installed LAPS WebUI, browse to the web URL of your Docker container or bare-metal installation. You will need to log in with an Active Directory user with permissions to view the extended properties for the OU object in which LAPS-controlled workstations are located.

To easily find these permissions, run these PowerShell cmdlets:

Import-Module AdminPwd.PS
Find-AdmPwdExtendedRights -Identity "<your OU>" | ft

In this example, the Domain Admins group has permissions to view LAPS passwords for the OU.

Find extended permissions to view LAPS passwords

Find extended permissions to view LAPS passwords

Log in with a user with permissions to view the LAPS passwords. As a security note, the Docker implementation of LAPS WebUI does not configure the connection for HTTPS in the web browser. Therefore, you will want to place a reverse proxy like Traefik in front of the solution to ensure your browser traffic is encrypted, or your password will be sent in clear text.

For a classic installation, you can, of course, configure the web server to serve the app over HTTPS.

Browse to the LAPS WebUI interface

Browse to the LAPS WebUI interface

After logging in, you can search for the LAPS-controlled workstation and view the password.

Viewing a LAPS password for a workstation using the LAPS WebUI

Viewing a LAPS password for a workstation using the LAPS WebUI

Wrapping up

LAPS is a recommended tool for securing local passwords in a Windows environment. The LAPS WebUI project provides an easy way to access LAPS passwords using a web browser. Otherwise, they are accessible only using the legacy application packaged with LAPS.

Subscribe to 4sysops newsletter!

The free and open-source project LAPS WebUI allows quick installation of a web interface using either Docker or a bare-metal installation. As mentioned, admins must ensure that the browser connection is secured to the LAPS WebUI interface to avoid sending credentials in clear text.

avatar
2 Comments
  1. Avatar
    Nutczak 7 months ago

    Not super stoked that you chose to demonstrate the solution without using LDAP over TLS.
    I know it’s not super simple, but you really should show how to add the AD PKI Certificate Authority certificates and connect to the DC in a more secure manner. You are accessing passwords after all…

  2. Avatar
    Michael 7 months ago

    Isn’t Windows LAPS replacing Microsoft LAPS? So won’t this be deprecated soon? Even Microsoft is recommending you migrate to Windows LAPS

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account