LAPS – Securing Local Administrator Accounts

Presentation

LAPS (Local Administrator Password Solution) is a free solution provided by Microsoft that allows the security of workstations.

LAPS allows for each computer in OR to randomly generate a password for the local Administrator account and store it in an Active Directory attribute (ms-Mcs-AdmPwd). It ‘relies on the SID of the account which is structured in the same way on any post, which makes it possible to apply LAPS to any language of Windows or even to rename the administrator account.

It is also possible to configure a password expiration date (ms-Mcs-AdmPwdExpirationTime), which will force a new password for the Local Administrator account.

LAPS is in the form of “client / server”, it requires the installation of a part on the server (s) domain controller and the registration of a DLL on the client computers.

Prerequisites :

  • Minimum server: Windows 2003 SP1.
  • Minimum post: Windows 8.1.

If you are in an environment with multiple domain controllers, you must install the group policy definition on all servers or use a central store. In the second case, the files (% WINDIR% \ PolicyDefinitions \ AdmPwd.admx and% WINDIR% \ PolicyDefinitions \ en-US \ AdmPwd.adml) must be copied after installation to the central store.

 

Download LAPS.



Related Posts


Active directory: How to set up a child domain
In this tutorial, we will see how to put a child domain in an Active Directory tree. A child domain is a subdomain of one of the component domains in your Active Directory forest. Subdomain segmentation allows logical partitioning of the Active Direc

Active Directory: Migrate SYSVOL Folder from FRS to DFSR
Presentation Since Windows Server 2008 and its 2008 domain functional level, replication of the SYSVOL folder is supported by DFSR, before it was done by FRS. If your domain controllers are running Windows 2012R2, it is advisable to use DFSR for the

Network share: enable enumeration based on access EBA
Introduction The access-based enumeration allows to display in a network share, only folders and files whose use has at least a right of reading. Other documents and folders will be hidden. Enabling this feature will increase the CPU resource consump

Leave a Comment