Getting Started with Local Administration Password Solution (LAPS)

20 Shares

LAPS or Local Administration Password Solution might or might not be something you’ve heard about before. It’s seems to be more common in Enterprises with a good Microsoft relationship.

It got may attention last week when I was playing around with Project Honolulu and rebuilding my Production environment with an external FQDN.

Back in the days we used to store passwords in GPOs and using GPPs to change local administrator password etc. However that encryption key got compromised and in 2014 Microsoft released a Security Update to disable that function. LAPS was born, read the full story here.

LAPS Management

Download LAPS and install it with all the Tools on your Management Server.

Then open PowerShell as Administrator to extend AD Schema.

Next grant computers to update their passord, in this example I’m using my Deployment Organization Unit. Be aware that all sub OUs will also be included.

You can also add grant rights to groups, users and computers to allow them to retrieve a computer’s password.

To display current permissions run this command.

 LAPS Deployment Existing Computers

The easiest way to deploy LAPS Client Side Extension is using Group Policy.

LAPS Deployment New Computers

Here I’m using my Automation Framework on top of Microsoft Deployment Toolkit.

With the Application defined like below.

LAPS Group Policy Configuration

Reveal Password

Simply run the tool and type in the computer name.

Where to use it?

I see no reason why not to implement this LAPS solution today, especially for your Servers. No your help desk probably won’t like it, but security before pleasure.

Just as an example. An out of the box deployment of Microsoft Deployment Toolkit allows Everyone to read the content. So by opening CustomSettings.ini that person could easily discover that the default local admin password is set to [email protected].

More Security?

Check this awesome presentation from the #virtualexpo September 2017 by Jarian Gibson and Patrick Coble.

20 Shares

2 Responses to Getting Started with Local Administration Password Solution (LAPS)

  1. Dear All

    I have Six Number of Active Directory Installed on 6 location. All are in Write Mode. I am going to install LAPS on my Root Domain controller. what will happen if my root domain controller gets failed. My question is does Laps attribute will be replicated to all domain controller or it will reside only to Root domain controller. How can i retrieve users endpoints password if my root domain controller gets failed.

    please help me on this?

    [email protected]

Leave a reply