«

»

Mar 19

Manage local Account

Manage local Account

Manage Local Account Password

An element that is rarely changed it’s the password of local accounts. It is common to put the same password for a local administrator on all workstations and servers. This has created an impact of a security breach.
It’s important to have a different password on each machine and server. Thus in case of a compromise of passwords, the other machines / servers are not impacted. However a regular change of password or managing a machine password can greatly complicate the daily administration.

LAPS

LAPS (Local Administrator Password Solution) it’s a Microsoft Products. It allow the management of the password of local account password. For install LAPS you need respect these prerequisites :

Supported operating systems

  • Windows 10, 8.1, 8, 7 or vista
  • Windows Server 2012 R2, 2012, 2008 R2, 2008 or 2003

Active Directory

  • 2003 SP1 or later
  • requires AD schema extension

Management Tools

  • .Net Framework 4.0
  • PowerShell 2.0 or later

Step by Step

LAPS Installation

If you want install LAPS, the steps are detailled below. The model is composed of :

  • One Domain Controller, Windows Server 2012 R2
  • One Workstation,

For beginning, download LAPS. This is done through the website.

https://www.microsoft.com/en-us/download/details.aspx?id=46899

Manage local Account

In the Custom Setup window, install all the options and click Next.

  • Fat Client UI: An interface that allows viewing passwords and graphically options.
  • PowerShell Module: Essential to integrate MAPS in infrastructure (AdmPwd.PS)
  • Template Editor GPO: GPO settings Integration for LAPS with an ADMX file

Update Schema AD

It’s necessary to update the Active Directory schema to add the LAPS objects. These will store the password generated by the tool. On the schema master, run a Powershell command prompt (you must have administrator rights).

  • ms-MCS-AdmPwd: Store the password in clear mode
  • ms-MCS-AdmPwdExpirationTime: Stores expiration date

In powershell command prompt execute commands :

  • Import-module AdmPwd.ps
  • Update-AdmPwdADSchema

Manage local Account

Update Schema AD

In order to secure access to the password of the local account, it’s necessary to ensure that only domain admins can have access to the password. For this action, import module AdmPwd (Import-module AdmPwd.ps), and then run the following command:

  • Find-AdmPwdExtendedrights -identity « OU Name » | Format-Table ExtendedRightHolders

Manage local Account

It’s necessary that the workstation and server have the right to write to ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes. For this, a powershell command must be executed.

  • Set-AdmPwdComputerSelfPermission -OrgUnit « OU Name »

Manage local Account

Do the same action for the other organizational unit. Access to passwords stored in Active Directory is managed by an ACL, it is therefore necessary to give this right to members of the Domain Admins group. For this, the following Powershell command must be executed.

  • Set-AdmPwdResetPasswordPermission -OrgUnit « OU Name » -AllowedPrincipals « DOMAIN\Domain Admins »

Manage local Account

Do the same action for the other organizational unit

Configure group policy

Group Policy was created in order to deploy the client and proceed to the desired setting. Only the Configuration of the client part has been documented. If you want, the client can be installed by other means (script, manual,…)

Password Settings
Computer Configuration / Administrative Templates /Laps / Password Settings

Manage local Account

Enable local admin password management
Computer Configuration / Administrative Templates / Laps / Enable local admin password Management

Manage local Account

Name of administrator account to manage
Computer Configuration / Administrative Templates /Laps / Name of administrator account to manage

Manage local Account

Linked Group Policy to the desired organizational unit. After few hours, the password is present in Active Directory.

Manage local Account

If you wish to have the value of the ms-CSM-AdmPwdExpiration attribute in the date format, it is necessary to use the W32tm command.

W32tm /ntte ms-Mcs-AdmPwdExpiration

Manage local Account

Use LAPS UI

LAPS UI is included with the solution and allows an administrator to force the expiration date on a computer/server of the domain. The software is present in the menu start and need to enter the name of the computer and the desired password expiration date.

Manage local Account

(1 commentaire)

  1. Fabien ESPOSITO

    Merci très bon article

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>