LAPS (Local Admin Password Solution)

5 Jan

This has been in draft state for a while so I figured I should get round to finishing it off.

For those who aren’t quite up to speed, a while back Microsoft discovered a bit of a security vulnerability with passwords being set using group policy. In short the were rather easy to decode which was of course a problem.

If you navigate through Group Policy now, you will notice that the password boxes still exist, but are greyed out and are no longer applied.

So if like me you were setting up all machines via Group Policy, what do you do instead? Well thankfully there is LAPS (Local Admin Password Solution) which is incredibly easy to configure.

When configured, you deploy an agent to all machines that looks after changing the local admin password (you specify the account name for the local admin), it then writes this password to the computer object in active directory under a newly created attribute. Each machine then has a random password (you can set the complexity in GPO) which is even more secure, but a bit of a PITA.

First grab a copy of the installer, you will want to install this in full on your machine to grab a copy of the Group Policy Template Files.

Copy these templates over to the central store on your domain. To do this, copy the file AdmPwd.admx frm C:\Windows\PolicyDefinitions to \\mydomain.local\SYSVOL\mydomain.local\Policies\PolicyDefinitions. You will also want to copy over AdmPwd.adml from the en-us subfolder.

You can roll out the MSI to all machines either using Group Policy, SCCM or Intune. I opted for Intune:

You need to extend the AD schema to include a couple of new attributes:

  • ms-MCS-AdmPwd – The password
  • ms-MCS-AdmPwdExpirationTime – Time password will next change

Assuming you are a schema admin, import the AdmPwd.PS module and then run Update-AdmPwdSchema.

You need to change a the AD permissions to allows computers to write back their new passwords by running Set-AdmPwdComputerSelfPermission.

You can then create a GPO to configure the LAPS agent on each machine, this can be found under Computer > Policies > Admin Templates > LAPS

  • Enable local admin password management: Enabled
  • Password Settings: Enabled
  • Complexity: Large letters, small letters & numbers
  • Length: 10 characters
  • Age: 60 days
  • Name of administrator account to manage: Enter local admin name
  • Do not allow password expiration time longer than required by policy: Enabled

If you like, you can run the following PowerShell to get a list of all achines and the local admin password stored for it:

Import-Module ActiveDirectory

$pooters = Get-ADComputer -Filter {Name -like 'Comp*'}

foreach ($pc in $pooters){

Get-Admpwdpassword -computername $pc

}

Or you can run the Fat Client UI, but PowerShell FTW eh.

References: