Manage Local Account Password
An element that is rarely changed it’s the password of local accounts. It is common to put the same password for a local administrator on all workstations and servers. This has created an impact of a security breach.
It’s important to have a different password on each machine and server. Thus in case of a compromise of passwords, the other machines / servers are not impacted. However a regular change of password or managing a machine password can greatly complicate the daily administration.
LAPS (Local Administrator Password Solution) it’s a Microsoft Products. It allow the management of the password of local account password. For install LAPS you need respect these prerequisites :
Supported operating systems
- Windows 10, 8.1, 8, 7 or vista
- Windows Server 2012 R2, 2012, 2008 R2, 2008 or 2003
- 2003 SP1 or later
- requires AD schema extension
- .Net Framework 4.0
- PowerShell 2.0 or later
Step by Step
If you want install LAPS, the steps are detailled below. The model is composed of :
- One Domain Controller, Windows Server 2012 R2
- One Workstation,
For beginning, download LAPS. This is done through the website.
In the Custom Setup window, install all the options and click Next.
- Fat Client UI: An interface that allows viewing passwords and graphically options.
- PowerShell Module: Essential to integrate MAPS in infrastructure (AdmPwd.PS)
- Template Editor GPO: GPO settings Integration for LAPS with an ADMX file
Update Schema AD
It’s necessary to update the Active Directory schema to add the LAPS objects. These will store the password generated by the tool. On the schema master, run a Powershell command prompt (you must have administrator rights).
- ms-MCS-AdmPwd: Store the password in clear mode
- ms-MCS-AdmPwdExpirationTime: Stores expiration date
In powershell command prompt execute commands :
- Import-module AdmPwd.ps
Update Schema AD
In order to secure access to the password of the local account, it’s necessary to ensure that only domain admins can have access to the password. For this action, import module AdmPwd (Import-module AdmPwd.ps), and then run the following command:
- Find-AdmPwdExtendedrights -identity « OU Name » | Format-Table ExtendedRightHolders
It’s necessary that the workstation and server have the right to write to ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes. For this, a powershell command must be executed.
- Set-AdmPwdComputerSelfPermission -OrgUnit « OU Name »
Do the same action for the other organizational unit. Access to passwords stored in Active Directory is managed by an ACL, it is therefore necessary to give this right to members of the Domain Admins group. For this, the following Powershell command must be executed.
- Set-AdmPwdResetPasswordPermission -OrgUnit « OU Name » -AllowedPrincipals « DOMAIN\Domain Admins »
Do the same action for the other organizational unit
Configure group policy
Group Policy was created in order to deploy the client and proceed to the desired setting. Only the Configuration of the client part has been documented. If you want, the client can be installed by other means (script, manual,…)
Computer Configuration / Administrative Templates /Laps / Password Settings
Enable local admin password management
Computer Configuration / Administrative Templates / Laps / Enable local admin password Management
Name of administrator account to manage
Computer Configuration / Administrative Templates /Laps / Name of administrator account to manage
Linked Group Policy to the desired organizational unit. After few hours, the password is present in Active Directory.
If you wish to have the value of the ms-CSM-AdmPwdExpiration attribute in the date format, it is necessary to use the W32tm command.
W32tm /ntte ms-Mcs-AdmPwdExpiration
Use LAPS UI
LAPS UI is included with the solution and allows an administrator to force the expiration date on a computer/server of the domain. The software is present in the menu start and need to enter the name of the computer and the desired password expiration date.