Download Laps Admin
Gracia Ziegenbein
specifically the " Administrator Account Name" policy option -"Use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). If specified, the specified account's password will be managed. Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created."
I don't like this option since I need to specify a password in plain text. I'm also thinking this policy will conflict with LAPS. - OMA-URI will set a password, then laps will set a password. Who wins this fight? do they both keep overwriting the admin password?
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.
The local Windows administrator account is a coveted target for hackers and malware. There are potentially a lot of bad things that can happen if a hacker can crack the local admin account of one of your servers.
Dreadful things usually occur when someone downloads a malicious malware strain using the administrator account as well. The magnitude of these problems is amplified even more if you use the default administrator account for every similar machine uses the same password.
Of course, you could customize the local admin credentials for every Windows device, but that can prove highly time-consuming not to mention the task of inventorying the many credential sets. The process becomes virtually unworkable when you enable password refreshes (which you should of course). This is why many admins often just disable it.
Microsoft Local Administrator Password Solution (LAPS) is a Microsoft tool that gives AD administrators the ability to manage the local account password of domain-joined computers and store them in AD.
If you have renamed the local admin account, (which you should) you can then specify the updated name. Once the admin account is selected, the final step is to enable the Group Policy setting which configures the password settings (that include password length and age.)
For environments in which users are required to log on to computers without domain credentials (such as local admin), password management can become a complex issue. Such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack. LAPS provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
However, in a typical identity attack, compromised local administrator account allow attackers to perform Pass-the-Hash (PtH) attacks and laterally move within the organization by compromising more systems easily. Microsoft Local Administrator Password Solution (LAPS) fixes this issue by setting a unique complex password for the local administrator account in all domain-joined devices. This local administrator account password set by Microsoft LAPS will automatically change according to password policy. The new passwords will be saved in Active Directory and authorized engineers can retrieve passwords from the Active Directory server when required.
The next step of the configuration is to install Microsoft LAPS. To do that,
1. Download Microsoft LAPS Package from -us/download/details.aspx?id=46899
This link does have multiple .msi files. You need to download the file .msi which matches your setup. In my demo environment, I am going to use LAPS.x64.msi
2. Double click on LAPS.x64.msi file. (You need to run this as administrator)
3. It will open the new wizard. In the initial screen click Next to continue.
Microsoft Local Administrator Password Solution (LAPS) is a free tool that randomizes the local administrator password on domain-joined computers. It is the best way to ensure the local admin account has a unique password and is changed on a regular basis.
Having the same local admin password on all computers is a huge security risk. This means if the local admin password is stolen on one computer then all computers may be compromised. The best defense against this security issue is to have a unique local administrator password on each computer.
The write permissions on the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes need to be modified for the SELF built-in account. This is required so the computers can update the password and expiration timestamp of the local administrator password. This is done by using PowerShell.
I am also trying to set up a custom admin account with the use of a script through group policy. The script creates the user and adds them to the administrators group. As far as I can tell the script works perfectly.
My trouble is that I cannot seem to link the LAPS password with my custom admin. I made sure to enable LAPS Management in group policy along with pointing the LAPS GP to the custom user. However, the custom account still uses the default password which I gave.
I've been using LAPS a while now. My understanding is it is designed only for the local admin. What I've seen regarding 'other users' has always been focused on a renamed local admin account, never multiple accounts.
LAPS generates secure admin passwords for each managed computer and stores that password in a protected Active Directory attribute. The password is also stored with a timestamp, so that when the password ages beyond the configured limit, it will be reset by the managed computer and the corresponding AD attribute will be updated.
In large Windows environments, managing administrator passwords is a surprisingly complex and potentially risky thing to do from a security standpoint. While sysadmins in most Active Directory environments will have domain user accounts for managing servers, there is still occasionally a need to log on with local credentials; for example, it's necessary if domain authentication is failing or unavailable.
By default, only the local system account and the domain admins group will have access to the passwords stored in AD. If your domain admins are not the same people that will manage the target machines, you can remove them from this group and add your own custom group. Be sure you don't skip these steps. Not setting the permissions correctly could expose administrator passwords to inappropriate users.
The Password Settings policy determines the length of the password and the maximum age it can reach before it resets. When the password is reset, the timestamp of the reset date will be recorded in AD. If the time elapsed since the timestamp date and the current date exceeds this value, the computer will reset the password and update AD with the new password and current date and time.
Name the administrator account to manage. If you want to manage the built-in administrator account, leave this setting alone. LAPS will identify the account by the SID even if the account has been renamed.
LAPS uses the well known SID of the built in Administrator account. You can rename that account and LAPS will continue to work. However, as you correctly pointed out, if you use any other local admin account then you will need to update the client config GPO to reflect that name.
We have a mixed bag of local admin accounts on machines. One computer maybe the default administrator account and another may have the built-in account disabled with an added custom admin account. How can I have laps manage both. Would this require 2 different policies? These machines are in the same OU
I have never had a need to test that particular scenario, but I would imagine you should be able to stack policies on top of each other.
Because each policy applies specifically to the admin account named within it, the policy will just do nothing if the named account does not exist.
Unless there are reasons why you cannot, another option would be to push a separate policy that defines the local administrator accounts for all of your systems so that they become consistent. That would eliminate the mix of different admin account scenarios and make any related or future policies simpler to manage.
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and the need for managing them properly. In this part, let us analyze the pros and cons of different approaches to managing the local administrator accounts.
Of all the attempts by Microsoft, perhaps the most successful one is the introduction of the Local Administrator Password Solution (LAPS). LAPS enables IT organizations to randomize the passwords of domain-joined local administrator accounts at periodic intervals. This ensures that the local admin accounts are assigned with strong, unique passwords that are periodically changed.
LAPS revolves fully around the Active Directory to manage the passwords of local administrator accounts. The local admin passwords are centrally stored in the Active Directory against the respective machine objects. Authorized users can retrieve the passwords when access is needed.
Through Group Policy, LAPS enforces strong, unique password usage. LAPS automatically identifies password expiration and generates a new password. Even if an attacker gains access to one local admin account, chances of lateral movement become remote. This saves your other endpoints and accounts in your network from attacks.
df19127ead