LAPS or Local Administration Password Solution might or might not be something you’ve heard about before. It’s seems to be more common in Enterprises with a good Microsoft relationship.
It got may attention last week when I was playing around with Project Honolulu and rebuilding my Production environment with an external FQDN.
Back in the days we used to store passwords in GPOs and using GPPs to change local administrator password etc. However that encryption key got compromised and in 2014 Microsoft released a Security Update to disable that function. LAPS was born, read the full story here.
LAPS Management
Download LAPS and install it with all the Tools on your Management Server.
Then open PowerShell as Administrator to extend AD Schema.
1 2 |
Import-module AdmPwd.PS Update-AdmPwdADSchema |
Next grant computers to update their passord, in this example I’m using my Deployment Organization Unit. Be aware that all sub OUs will also be included.
1 |
Set-AdmPwdComputerSelfPermission -OrgUnit "Deployment" |
You can also add grant rights to groups, users and computers to allow them to retrieve a computer’s password.
1 |
Set-AdmPwdReadPasswordPermission -OrgUnit "Deployment" -AllowedPrincipals mgmt-01$ |
To display current permissions run this command.
1 |
Find-AdmPwdExtendedrights -identity "Deployment" |
LAPS Deployment Existing Computers
The easiest way to deploy LAPS Client Side Extension is using Group Policy.
LAPS Deployment New Computers
Here I’m using my Automation Framework on top of Microsoft Deployment Toolkit.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
# PowerShell Wrapper for MDT, Standalone and Chocolatey Installation - (C)2015 xenappblog.com # Example 1: Start-Process "XenDesktopServerSetup.exe" -ArgumentList $unattendedArgs -Wait -Passthru # Example 2 Powershell: Start-Process powershell.exe -ExecutionPolicy bypass -file $Destination # Example 3 EXE (Always use ' '): # $UnattendedArgs='/qn' # (Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode # Example 4 MSI (Always use " "): # $UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 /qn /liewa $LogApp" # (Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode Write-Verbose "Setting Arguments" -Verbose $StartDTM = (Get-Date) $Vendor = "Microsoft" $Product = "LAPS x64" $Version = "6.2.0.0" $PackageName = "LAPS.x64" $InstallerType = "msi" $Source = "$PackageName" + "." + "$InstallerType" $LogPS = "${env:SystemRoot}" + "\Temp\$Vendor $Product $Version PS Wrapper.log" $LogApp = "${env:SystemRoot}" + "\Temp\$PackageName.log" $Destination = "${env:ChocoRepository}" + "\$Vendor\$Product\$Version\$packageName.$installerType" $UnattendedArgs = "/i $PackageName.$InstallerType ADDLOCAL=Management.PS ALLUSERS=1 /qn /liewa $LogApp" $url = "https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi" Start-Transcript $LogPS if( -Not (Test-Path -Path $Version ) ) { New-Item -ItemType directory -Path $Version } CD $Version Write-Verbose "Downloading $Vendor $Product $Version" -Verbose If (!(Test-Path -Path $Source)) { Invoke-WebRequest -Uri $url -OutFile $Source } Else { Write-Verbose "File exists. Skipping Download." -Verbose } Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose (Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode Write-Verbose "Customization" -Verbose Write-Verbose "Stop logging" -Verbose $EndDTM = (Get-Date) Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose Stop-Transcript |
With the Application defined like below.
1 |
powershell.exe -ExecutionPolicy Bypass .\Install.ps1 -force |
LAPS Group Policy Configuration
Reveal Password
Simply run the tool and type in the computer name.
Where to use it?
I see no reason why not to implement this LAPS solution today, especially for your Servers. No your help desk probably won’t like it, but security before pleasure.
Just as an example. An out of the box deployment of Microsoft Deployment Toolkit allows Everyone to read the content. So by opening CustomSettings.ini that person could easily discover that the default local admin password is set to P@ssword.
More Security?
Check this awesome presentation from the #virtualexpo September 2017 by Jarian Gibson and Patrick Coble.
Dear All
I have Six Number of Active Directory Installed on 6 location. All are in Write Mode. I am going to install LAPS on my Root Domain controller. what will happen if my root domain controller gets failed. My question is does Laps attribute will be replicated to all domain controller or it will reside only to Root domain controller. How can i retrieve users endpoints password if my root domain controller gets failed.
please help me on this?
[email protected]
The attributes are going to be replicated across all DCs. Here’ some LAPS related links for you to read up on:
https://blogs.msdn.microsoft.com/laps/
https://blogs.msdn.microsoft.com/laps/2016/08/08/laps-and-ad-sizing-considerations/