Hello everyone,

In today’s modern IT world, security is hot topic. All of us are witnesses of many security breaches on daily basis, and most of them are initiated with credentials compromising, especially local administrator account. In this post, I will tell what is LAPS and how you can configure LAPS in order to protect your local administrator account.

The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

How does LAPS work?

The core of the LAPS solution is a GPO client-side extension that performs the following tasks and can enforce the following actions during a GPO update:

  • Checks whether the password of the local Administrator account has expired
  • Generates a new password when the old password is either expired or is required to be changed prior to expiration
  • Validates the new password against the password policy
  • Reports the password to AD, storing it with a confidential attribute with the computer account in AD
  • Reports the next expiration time for the password to AD, storing it with an attribute with the computer account in AD
  • Changes the password of the Administrator account
  • The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

What are the features of LAPS?

  • Security that provides the ability to:
    • Randomly generate passwords that are automatically changed on managed machines
    • Effectively mitigate PtH attacks that rely on identical local account passwords
    • Enforced password protection during transport via encryption using the Kerberos version 5 protocol
    • Use ACLs to protect passwords in AD and easily implement a detailed security model
  • Manageability that provides the ability to:
    • Configure password parameters, including age, complexity, and length
    • Force password reset on a per-machine basis
    • Use a security model that is integrated with ACLs in AD
    • Use any AD management tool of choice; custom tools, such as Windows PowerShell, are provided
    • Protect against computer account deletionEasily implement the solution with a minimal footprint

 

Now, when you know what is a LAPS, let me show you how you can configure LAPS. For successful implementation of LAPS you need:

  • Domain Functional level 2003 or higher
  • AD Schema must be extended to use LAPS
  • LAPS client on managed computers
  • .NET Framework 4.0
  • Windows PowerShell 2.0 or later

LAPS is available for download on this link.

 

Install LAPS on domain controller. For “server side” you need to select all options for install.

 

 

Next step is configuring LAPS. Define OU from AD (in my case Servers) where are stored computer accounts which be “affected” with LAPS. Define group of users (in my case Domain-Admins) which will have appropriate permissions to read and reset password.

 

 

Install LAPS agent on desired computer. That can be done also via GPO.

 

 

Configure GPO settings and apply GPO on computers.

 

 

At the end, you can retrieve password for desired computer from LAPS UI or PowerShell

 

Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *