LAPS is a fantastic free tool from Microsoft that manages Domain Member computer local account passwords. https://www.microsoft.com/en-us/download/details.aspx?id=46899
I have deployed LAPS for a number of Enterprise customers to use for managing their Domain Member Windows Server local Administrator account passwords.
In Part 2 of this blog series we will look at the different ways to view and reset the passwords.
Part 1 of this blog series “Deployment Considerations”
Part 3 of this blog series “Monitoring”
Part 4 of this blog series “Auditing” [Coming Soon]
- To view the LAPS passwords, you must be granted the All Extended Attributes permission over the object in Active Directory.
- If the Group Policy setting “Do not allow password expiration time longer than required by policy” is set to Enabled; it will not be possible to set an expiry beyond the maximum LAPS Password Age Group Policy setting.
Graphical User Interface
When you install LAPS you are given the option of Management Tools to install.
The Fat client UI will install a simple app called AdmPwd.UI to the default install location %SYSTEMDRIVE%\Program Files\LAPS
When launched you can search for the computer name. The password will displayed along with the password expiration date.
To manually reset the password, just click the Set button in LAPS UI tool. When a Group Policy refresh runs on the target machine, the password will be reset.
You can set a future date for the password to expire by clicking the drop down icon on the New expiration time field.
When you install LAPS you are given the option of installing the Powershell Module.
From a Powershell prompt, run the following commands to retrieve a LAPS password:
Import-Module AdmPwd.PS Get-AdmPwdPassword -ComputerName "computername"
To set a new expiration time, run the following commands:
Import-Module AdmPwd.PS Reset-AdmPwdPassword -ComputerName "computername" ` -WhenEffective "date time"
In the example below the password is being set to expire on 30th November 2019 at 10am.
By using Get-AdmPassword we can confirm that ExpirationTimestamp attribute has been updated.
When the server refreshes its GPO after 30th November 10am, it will read the expiration attribute and trigger
- The password only resets if the client is able to write the new password to the AD computer object.
- If the client does not have permission to do this or a Domain Controller cannot be contacted at that time then the new password is discarded before it is applied to the local admin account.
- Writing the password to AD before the password is written to the local admin account protects against network interruptions during the process.
1. On any Domain Controller (or console running Active Directory Remote Server Administration Tools) open ADSI Edit by Right clicking the Start button and select Run.
2. Enter ADSIEdit.msc and select OK.
3. Right click ADSI Edit in the left hand menu and select Connect to. Choose the Default Naming Context.
4. On the left, navigate down through the Active Directory structure by double clicking.
5. Browse to the client’s object, right click it and select properties.
6. On the Attribute Editor tab, scroll to the attributes:
ms-Mcs-AdmPwd – Stores the password in clear text
ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password
- The expiration time is displayed in computer date format. It must be manually converted to a readable date format.
- You can set the expiration time here by converting the desired date back to computer date format and editing the attribute within ADSIEdit.