Manage local Account

Manage local Account

Manage local Account

Manage Local Account Password

An element that is rarely changed it’s the password of local accounts. It is common to put the same password for a local administrator on all workstations and servers. This has created an impact of a security breach.

It’s important to have a different password on each machine and server. Thus in case of a compromise of passwords, the other machines / servers are not impacted. However a regular change of password or managing a machine password can greatly complicate the daily administration.

LAPS

LAPS (Local Administrator Password Solution) it’s a Microsoft Products. It allow the management of the password of local account password. For install LAPS you need respect these prerequisites :

Supported operating systems :

  • Windows 10, 8.1, 8, 7 or vista
  • Windows Server 2012 R2, 2012, 2008 R2, 2008 or 2003

Active Directory

  • 2003 SP1 or later
  • requires AD schema extension

Management Tools

  • .Net Framework 4.0
  • PowerShell 2.0 or later

LAPS Installation

If you want install LAPS, the steps are detailled below. The model is composed of :

  • One Domain Controller, Windows Server 2012 R2
  • One Workstation,

For beginning, download LAPS. This is done through the website.

https://www.microsoft.com/en-us/download/details.aspx?id=46899

Manage local Account Install LAPS

In the Custom Setup window, install all the options and click on Next.

  • Fat Client UI: An interface that allows viewing passwords and graphically options.
  • PowerShell Module: Essential to integrate MAPS in infrastructure (AdmPwd.PS)
  • Template Editor GPO: GPO settings Integration for LAPS with an ADMX file

Update Schema AD

It’s necessary to update the Active Directory schema to add the LAPS objects. These will store the password generated by the tool. On the schema master, run a Powershell command prompt (you must have administrator rights).

  • ms-MCS-AdmPwd: Store the password in clear mode
  • ms-MCS-AdmPwdExpirationTime: Stores expiration date

In powershell command prompt execute commands :

Import-module AdmPwd.ps
Update-AdmPwdADSchema
Manage local Account configure schema

Secure access to the password

In order to secure access to the password of the local account, it’s necessary to ensure that only domain admins can have access to the password. For this action, import module AdmPwd (Import-module AdmPwd.ps), and then run the following command:

Find-AdmPwdExtendedrights -identity "OU Name" | Format-Table ExtendedRightHolders
Manage local Account Configure Schema

It’s necessary that the workstation and server have the right to write to ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes. For this, a powershell command must be executed.

Configure permission

Do the same action for the other organizational unit. Access to passwords stored in Active Directory is managed by an ACL, it is therefore necessary to give this right to members of the Domain Admins group. For this, the following Powershell command must be executed.

Set-AdmPwdResetPasswordPermission -OrgUnit "OU Name" -AllowedPrincipals "DOMAIN\Domain Admins"
Manage local Account Password reset permission

Do the same action for the other organizational unit.

Configure group policy

Group Policy was created in order to deploy the client and proceed to the desired setting. Only the Configuration of the client part has been documented. If you want, the client can be installed by other means (script, manual,…).

Password Settings

Computer Configuration / Administrative Templates /Laps / Password Settings
Configure GPO

Enable local admin password management

Computer Configuration / Administrative Templates / Laps / Enable local admin password Management
Manage local Account - Configure GPO

Name of administrator account to manage
.

Computer Configuration / Administrative Templates /Laps / Name of administrator account to manage
Name of Administrator

Linked Group Policy to the desired organizational unit. After few hours, the password is present in Active Directory.

LDAP Attributes

If you wish to have the value of the ms-CSM-AdmPwdExpiration attribute in the date format, it is necessary to use the W32tm command.

W32tm /ntte "Valeur of attribute ms-Mcs-AdmPwdExpiration"
Verify hour

Use LAPS UI

LAPS UI is included with the solution and allows an administrator to force the expiration date on a computer/server of the domain. The software is present in the menu start and need to enter the name of the computer and the desired password expiration date.

LAPS

One thought on “Manage local Account

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.