Microsoft LAPS - Local Administrator Password Solution
- 1. MICROSOFT L.A.P.S.
THE LOCAL ADMINISTRATOR PASSWORD SOLUTION
By Matt Stacey, Managing Director of Int64 Software Ltd
@Int64Software or @matt_is_ready
- 2. What is Microsoft LAPS?
Local Administrator Password Solution
Automatic regular randomisation of Local Administrator account
passwords on domain computers (Windows only)
Automatic
No manual intervention necessary
Regular
Maximum password age can be defined (default 30 days)
Randomisation
No two computers will have the same password, preventing Pass-the-hash type
attacks
- 3. Local Administrator Accounts
Created and enabled by default
Named “administrator” on all computers unless changed by policy
Typical password management solutions include:
Single common shared password built into image
Vulnerable to pass-the-hash attacks
Procedural (formulaic) password design, set manually or by a script
May get leaked, hacked, or discovered through brute force
- 4. How Microsoft LAPS Works
Installed as a Group Policy Client Side Extension (CSE)
Runs every time Group Policy is updated
Reads “ms-Mcs-AdmPwdExpirationTime” Active Directory property for the
current computer object to see if password has expired.
If expired, generates a new random password based on Group Policy
settings.
Attempts to record new password (in “ms-Mcs-AdmPwd”) and next
expiration time in Active Directory computer object.
If successful, it only then sets the Administrator account password.
- 5. How Microsoft LAPS Works
GP Refresh
Check if expiry
time is blank or
passed
Generate a new
random password
Set password and
expiry in Active
Directory
Change Local
Administrator
password
If expired or blankOnly if successful
- 6. But my Admin accounts are disabled…?
Admin accounts are there by default and cannot be removed, but can be
disabled.
However, re-enabling a disabled account is trivial for someone who knows
what they’re doing.
Disabling them does not negate the need for strong, frequently changed
passwords.
- 7. Installing LAPS
1. Install the management tools (PowerShell module and GPO template)
2. Extend the Active Directory schema
3. Setup Active Directory permissions
4. Configure Group Policy
5. Install Clients
- 8. PowerShell Module and Group Policy
Template
Launch the LAPS installer appropriate for your system
Select to install:
PowerShell module
GPO Editor templates
“AdmPwd GPO Extension” is the CSE, “Fat Client UI” is the default Windows forms interface.
Neither are required at this stage.
- 9. Extend the AD Schema
Launch PowerShell as a user which is a member of the “Schema Admins”
group.
Import the LAPS PowerShell module
Run the Update-AdmPwdADSchema command to extend the schema.
If you get Permission Denied, check your user rights.
- 10. Remove Extended Rights
Run the “Find-AdmPwdExtendedrights” command to users with “All
extended rights” permission.
This must be targeted to an OU, but will also list any sub-containers which
inherit their permissions.
Users with this permission can view the stored passwords of computers in
the container, and may need to have it revoked.
For more information, consult the LAPS Operations Guide.
- 11. Grant Computer Rights
Computers need the permission to view their own password’s expiry date,
and to write a new password.
Use the “Set-AdmPwdComputerSelfPermission” command.
This must be done for each computer container unless it inherits the
permission from a parent.
- 12. Add User Management Rights
If necessary, grant permission for users to view the stored password with
the “Set-AdmPwdReadPasswordPermission” command.
Similarly, use the “Set-AdmPwdResetPasswordPermission” command to
grant permission to expire a password (triggering a reset during the
computer’s next Group Policy update).
- 13. LAPS Group Policy Settings
Create a new GPO and navigate to the LAPS administrative template.
Here you can enable LAPS by changing the “Enable local admin password
management” setting to Enabled.
For more information on the other settings, see this link:
https://int64software.com/blog/2018/06/28/a-look-at-the-microsoft-laps-
group-policy-settings/
- 14. Deploy the Client Side Extensions
Deploy the same LAPS MSI installer to your clients using your preferred
method of software delivery.
By default the MSI will only install the LAPS CSE, no customisation or
modification is required.
- 15. Verify Client Side Extensions
Run a Group Policy update on a test client computer and then restart it.
LAPS may take a while to run the first time
Once it has set the client’s Local Administrator password, you will be able
to see the password and expiry in Active Directory
- 16. What’s Next
Congratulations! Your client-side devices are now much
better protected against hackers.
If you have cause to access the passwords frequently, or
when away from your main computer, you may want to
try an alternative to the basic tools that Microsoft
provide.
OVERLAPS Pro 1.2 provides a web-based interface with
much greater functionality.
https://int64software.com/overlaps/