Microsoft Local Administrator Password Solution – Part 2 – Accessing & Resetting Passwords

LAPS is a fantastic free tool from Microsoft that manages Domain Member computer local account passwords. https://www.microsoft.com/en-us/download/details.aspx?id=46899

I have deployed LAPS for a number of Enterprise customers to use for managing their Domain Member Windows Server local Administrator account passwords.

In Part 2 of this blog series we will look at the different ways to view and reset the passwords.

Part 1 of this blog series “Deployment Considerations”

Part 3 of this blog series “Monitoring”

Part 4 of this blog series “Auditing” [Coming Soon]

Key Points

  • To view the LAPS passwords, you must be granted the All Extended Attributes permission over the object in Active Directory.
  • If the Group Policy setting “Do not allow password expiration time longer than required by policy” is set to Enabled; it will not be possible to set an expiry beyond the maximum LAPS Password Age Group Policy setting.

Graphical User Interface

When you install LAPS you are given the option of Management Tools to install.

LAPS Setup Options

The Fat client UI will install a simple app called AdmPwd.UI to the default install location %SYSTEMDRIVE%\Program Files\LAPS

When launched you can search for the computer name. The password will displayed along with the password expiration date.

Fat client UI

To manually reset the password, just click the Set button in LAPS UI tool. When a Group Policy refresh runs on the target machine, the password will be reset.

You can set a future date for the password to expire by clicking the drop down icon on the New expiration time field.

Powershell

When you install LAPS you are given the option of installing the Powershell Module.

Powershell module install

From a Powershell prompt, run the following commands to retrieve a LAPS password:

Import-Module AdmPwd.PS
Get-AdmPwdPassword -ComputerName "computername"

Retrieving the LAPS password using Powershell

To set a new expiration time, run the following commands:

Import-Module AdmPwd.PS
Reset-AdmPwdPassword -ComputerName "computername" `
-WhenEffective "date time"

In the example below the password is being set to expire on 30th November 2019 at 10am.

By using Get-AdmPassword we can confirm that ExpirationTimestamp attribute has been updated.

When the server refreshes its GPO after 30th November 10am, it will read the expiration attribute and trigger

  • The password only resets if the client is able to write the new password to the AD computer object.
  • If the client does not have permission to do this or a Domain Controller cannot be contacted at that time then the new password is discarded before it is applied to the local admin account.
  • Writing the password to AD before the password is written to the local admin account protects against network interruptions during the process.

ADSI Edit

1. On any Domain Controller (or console running Active Directory Remote Server Administration Tools) open ADSI Edit by Right clicking the Start button and select Run.

2. Enter ADSIEdit.msc and select OK.

Run ADSIEdit.msc

3. Right click ADSI Edit in the left hand menu and select Connect to. Choose the Default Naming Context.

Connect to Default naming context

4. On the left, navigate down through the Active Directory structure by double clicking.

5. Browse to the client’s object, right click it and select properties.

Computer object

6. On the Attribute Editor tab, scroll to the attributes:

Password attribute

ms-Mcs-AdmPwd – Stores the password in clear text

ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password

  • The expiration time is displayed in computer date format. It must be manually converted to a readable date format.
  • You can set the expiration time here by converting the desired date back to computer date format and editing the attribute within ADSIEdit.

3 thoughts on “Microsoft Local Administrator Password Solution – Part 2 – Accessing & Resetting Passwords

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s