LAPS – Securing Local Administrator Accounts

LAPS (Local Administrator Password Solution) is a free solution provided by Microsoft that allows the security of workstations.

LAPS allows for each computer in OR to randomly generate a password for the local Administrator account and store it in an Active Directory attribute (ms-Mcs-AdmPwd). It ‘relies on the SID of the account which is structured in the same way on any post, which makes it possible to apply LAPS to any language of Windows or even to rename the administrator account.

It is also possible to configure a password expiration date (ms-Mcs-AdmPwdExpirationTime), which will force a new password for the Local Administrator account.

LAPS is in the form of “client / server”, it requires the installation of a part on the server (s) domain controller and the registration of a DLL on the client computers.

Prerequisites

  • Minimum server: Windows 2003 SP1.
  • Minimum post: Windows 8.1.

If you are in an environment with multiple domain controllers, you must install the group policy definition on all servers or use a central store. In the second case, the files (% WINDIR% \ PolicyDefinitions \ AdmPwd.admx and% WINDIR% \ PolicyDefinitions \ en-US \ AdmPwd.adml) must be copied after installation to the central store.

Installing LAPS on the domain controller

On a domain controller, run the download file.

LAPS.XYY.msi

When launching the installation wizard, click Next 1 .

Wizard install

Check the box to accept the 1 license agreement and click Next 2 .

Accept license

Install all components 1 then click Next 2 .

Full setup

Click on Install 1 .

Start install LAPS

Once the installation is complete, close the wizard by clicking Finish 1 .

LAPS installed

Now that LAPS is installed on a domain controller, we will see how to install it on the client computers.

Installing the LAPS client

To deploy the “client” part of LAPS on the computers, you have several solutions:

  • Manual installation by selecting only the AdmPwd GPO Extension component.
  • Installation by a Software Deployment Tool (SCCM / WAPT).
  • Installation by GPO.
  • Installation by script: msiexec / i <file location> \ LAPS.x64.msi / quiet
  • Copy the AdmPwd.dll file and save it to the regsvr32.exe AdmPwd.dll extension

Depending on your environment, I let you choose the best solution.

Update Active Directory Schema

To work properly LAPS needs to modify the Active Directory schema to add two attributes to the computers.

On the domain controller where it was installed, open a PowerShell command prompt with Administrator rights.

Load the PowerShell module:

Import-Module AdmPwd.PS

Update schema:

Update-AdmPwdADSchema

The command should return the following result:

Operation            DistinguishedName                                                 Status
---------            -----------------                                                 ------
AddSchemaAttribute   cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=l... Success
AddSchemaAttribute   cn=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=lab,DC=intra       Success
ModifySchemaClass    cn=computer,CN=Schema,CN=Configuration,DC=lab,DC=intra            Success

The schema has been modified and the attributes added.

We will now see how to configure LAPS.

Configuring LAPS

The configuration of LAPS is done by OR in the Active Directory. In this tutorial, we will apply the password policy on the OU Computers 1 that is in the OU LAB.

OU=Computers

Before configuring Group Policy, you must give the rights to the Computer type objects to be able to modify their attributes. Open a PowerShell command prompt.

Load the module:

Import-Module AdmPwd.PS

Case 1: There is only one OR carrying the name Computers:

Set-AdmPwdComputerSelfPermission -OrgUnit "Computers"

Case 2: Several OUs are called Computers:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,OU=LAB,DC=lab,DC=intra"

Result of the order:

Name                 DistinguishedName                                                 Status
----                 -----------------                                                 ------
Computers            OU=Computers,OU=LAB,DC=lab,DC=intra                               Delegated

If multiple OUs have the same name and you apply the case 1 command, the delegation will be applied to all OUs. The command will also return an error.

Now that computers can change their attributes, you need to create a group policy. Open the Group Policy Management Console, right-click on OR 1 where will be applied and click Create GPO in this area, and link it here 2 .

New GPO

Name strategy 1 and click OK 2 .

Name of GPO for LAPS

Now that the strategy is created, we will configure it, right click on 1 and click on Edit 2 .

Edit GPO

Go to Computer Configuration / Policies / Administrative Templates / LAPS 1 . In this location are the various configuration parameters. Open Password Settings 2 to configure the password.

LAPS settings

Activate 1 the parameters then configure the complexity of the password 2 using the various parameters. Click on Apply 3 and on OK 4 .

Password settings

Open the Enable local admin password management parameter, activate 1 then click on Apply 2 and OK 3 . You must enable this setting to enable password management.

Enable LAPS

If you delete the local administrator account and create a new one, you can specify it with the Name of administrator account to manage parameter.

Summary of Group Policy Settings :

Now that Group Policy is ready, force it to be updated so that the computers recover the settings and generate a password for the local administrator account.

View the password generated by LAPS

Now that our computers have a different password, we will see how to recover the password.

From the Active Directory

The display of advanced features must be enabled.

Using the Active Directory Users and Computers console, open the computer properties, go to the Attribute Editor 1 tab, and look for the ms-Mcs-AdmPwd 2 attribute.

Get password

With the LAPS client

When installing LAPS on the server, all components have been installed. A client is available through the Start menu. Once it has been launched, enter the name of the computer 1 then click Search 2 to display the password 3 and the expiry date 4 .

LAPS Client UI

It is possible to change the expiration date of the password, once it has been configured, click on Set. The password change will be effective when applying group policies on the computer.

Allow viewing the password to an AD group

By default, the Domain Admins group can see the attribute that contains the password for the local Administrator account for the extension. It may be necessary to give the password option to other people such as the support team if they are not members of the Domain Admins group.

The client part of LAPS will have to be installed on their computer to see the password.

On the domain controller, open the ADSI Edit Console, right click on ADSI Edit 1 and click on Connect 2 .

ADSI editor

Choose Default Attribution Context 1 and click OK 2 .

Connection

Once connected, open the properties of the OU where LAPS has been configured.

OU properties

Go to the Security tab 1 and click on the Advanced 2 button.

Security tab

Click on Add 1 .

Add

Select group 1 , type: Allow 2 . Check the authorization All rights extended 3 and validate by clicking OK 4 .

permissions configuration

Permissions have been added to the OU, click Apply 1 and OK 2 to validate. Then close the windows.

You can do the same thing in PowerShell by using the following command:

Set-AdmPwdReadPasswordPermission -OrgUnit Computers -AllowedPrincipals SupportSI

It is possible to check in PowerShell access using the following command:

Import-Module AdmPwd.PS
Find-AdmPwdExtendedRights -Identity Computers | Format-Table ExtendedRightHolders

ExtendedRightHolders
--------------------
{AUTORITE NT\Système, LAB\Admins du domaine, LAB\SupportSI}

Users in the SupportSI group now have the option to see the password for the Local Administrator account.

To give the SupportSI group permission to change the password expiration date, enter the following PowerShell command:

Set-AdmPwdResetPasswordPermission -OrgUnit Computers -AllowedPrincipals SupportSI

Conclusion

LAPS is a free solution that protects the local Administrator account on client computers and servers.

I find this solution all the more interesting on servers that allows to have a different password for each of them and thus increase security. The expiration and automatic renewal of the password provides additional security when a person from the IS leaves the company.