Sie sind auf Seite 1von 7

Configuring LAPS (Part 1)- Configuring Active Directory

Why is Local Administrator Password Management


Needed?
The question of how to deal with users having administrative rights on computers or other
network resources is one that has many different answers and has evolved over time. While the
scenarios around network and domain administrative access may be more complex, the local
administrative rights scenario should be very similar for almost everyone.

A common scenario, in organizations of all sizes, is all workstations sharing a common local
administrator account password. The help desk uses this local administrator password when
needing to do something on a computer that requires administrative rights. Occasionally this
password has been given out to normal users for various reasons.

This scenario has some large security issues.


 Help desk users or other network administrators using the local administrator account makes it
more difficult to maintain accountability. Actions taken as the local administrator account could
have been carried out by anyone with access to the credentials.
 If a normal user is given the local administrator account credentials, they now have local
administrator access to every computer with those credentials.
 As more people know the local administrator credentials, the more likely they are to get passed
around to other users. Eventually many users that are not supposed to have access to the
credentials have them.

How to Mitigate These Security Issues


The local administrator account on domain joined devices should rarely, if ever, be used.
Ideally, normal users would not have local administrative rights on computers. If a normal user
did require local administrative access on a permanent basis, they should have access to a
domain account that has been granted local administrative access to their computer. Help desk
personnel should have access to domain accounts that are set as local administrators of devices
they may need to manage or troubleshoot. Logging in as the local administrator account should
be saved for the rare occasion that a computer loses its domain trust relationship and needs to be
re-joined to the domain.

Now that the local administrator account is going to rarely be used, it would be nice to be able to
change that password, so anyone who previously had known it can no longer use it. This is
where Microsoft’s Local Administrator Password Solution (LAPS) comes into play. LAPS is
a solution developed by Microsoft to handle the management of the local administrative accounts
on domain joined computers. Any device that LAPS is deployed to is able to randomize the local
administrator password, store that password in Active Directory, and then change that password
on a set schedule.

The instructions below are part 1 of a 2-part series and will cover the process of configuring
active directory to support LAPS. The sections marked as (Required) are necessary to
implement LAPS functionality. The sections marked as (Optional) are not necessary, but can
add additional value or functionality to the implementation.

(Required) Install the LAPS Management Utilities


1. Download the LAPS Installer(s) to a domain joined computer
a. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899
2. Run either the msi or LAPSx86.msi depending on your computer’s architecture
3. At the Welcome screen, click Next
4. At the License Agreement screen, accept the EULA and click Next
5. At the Feature Installation screen, select to install all the available features, and click Next

6. At the Confirmation screen, click Install


7. At the Completion screen, click Finish
(Required) Extend the Active Directory Schema
LAPS requires an AD schema extension to create the attributes needed to store the administrator
password and the password expiration date.

1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Schema Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS

3. Run the command to extend the AD Schema


a. Update-AdmPwdADSchema

4. After extending the schema, there will be two new attributes visible on the properties of the
computer objects in AD
a. ms-Mcs-AdmPwd – This attribute stores the local administrator password
b. ms-Mcs-AdmPwdExpirationTime – This attribute stores the password expiration time
(Required) Configure Active Directory Computer
Permissions
By default, computers will only be able to read the AdmPwd and AdmPwdExpirationTime
attributes. For LAPS to work, computers need to be able to write to both attributes. The below
steps will grant write permission to both attributes for the SELF account, which will then allow
computer objects to update their own password and expiration time attributes.

1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Domain Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS
3. Run the command to grant write permission to the SELF account. Replace OU Name with the
name of the OU that contains computers that will be managed with LAPS. The permissions will
apply to any sub OUs of the OU you specify.
a. Set-AdmPwdComputerSelfPermission -Identity “OU Name”
NOTE: In the examples throughout this article, the common name of the OU is specified.
The common name of the OU can be specified if the name is unique, otherwise specify the
distinguished name of the OU.

(Optional) Configure Active Directory User Permissions


By default, only Domain Admins will be able to view and change the password and reset time
attributes. These commands will allow you to delegate rights to users or groups to be able to
either read or change the attributes.

Delegate rights to an AD user or group to view the password and reset time attributes

1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Domain Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS
3. Run the command to delegate read access to a specific user or group. Replace OU Name with
the name of the OU that the user or group will be able to read the attributes for. Replace User or
Group Name with the name of the user or group that will be delegated the read permission.
Multiple users or groups can be specified in a comma separated list.
a. Set-AdmPwdReadPasswordPermission –Identity “OU Name” –AllowedPrincipals
“User or Group Name”

Delegate rights to an AD user or Group to modify the reset time


attribute
1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Domain Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS
3. Run the command to delegate write access to a specific user or group. Replace OU Name with
the name of the OU that the user or group will be able to modify the reset time attribute on.
Replace User or Group Name with the name of the user or group that will be able to modify the
reset password attribute. Multiple users or groups can be specified in a comma separated list.
a. Set-AdmPwdResetPasswordPermission –Identity “OU Name” -AllowedPrincipals
“User or Group Name”

Verify User Permissions


After delegating rights, this command can be run against an OU to determine which users or
groups have access to view the password and reset time attributes.

1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Domain Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS
3. Run the command to view the permissions on a specific OU. Replace OU Name with the name
of the OU the command will run against.
a. Find-AdmPwdExtendedRights –Identity “OU Name”

By default, NT AUTHORITYSYSTEM, and Domain Admins should be listed as extended


right holders. Additionally, the group that was delegated read permissions should be listed as an
extended right holder.
If there are any other users or groups listed under the ExtendedRightHolders property, these
could be users or groups that unintentionally have access to view the attributes. This can happen
if a user or group was previously delegated rights to this OU and the All extended rights
permission was selected.

To make sure any of these extra users or groups cannot view the password or reset time
attributes, follow these steps

1. Open Active Directory Users and Computers as an account with Domain Admin rights
2. Right click on the OU in question and select Properties
3. Click on the Security tab
4. Click Advanced
5. Select the user or group to modify permissions for
6. Click Edit
7. Uncheck the All extended rights box

At this point, active directory has been configured to support LAPS, computer objects have been
given permission to update their password attributes, and the appropriate users have been
delegated rights to read and reset the passwords. Part 2 of this series will cover the creation and
configuration of the group policy object needed to enable LAPS on devices.

Configuring LAPS (Part 2)- Configuring and Deploying Group Policy