A common challenge for many organizations is the mass deployment of workstations and servers. Efficient administrators deploy these systems from images; ISO, VM template, WIM, AMI, etc; which leads to the issue of common Administrator passwords across the fleet or having to reset and manage a large volume of unique passwords for these local accounts. Even with a modest number of systems, this is a security problem leading to common passwords and credential stuffed spreadsheets. A major concern today are Pass-the-Hash (PtH) attacks that take advantage of weak or common local Administrator account passwords to compromise privileged Active Directory accounts through lateral attacks.

Fortunately, Microsoft has provided a solution we can deploy with Active Directory. The Local Administrator Password Solution (LAPS) empowers administrators to manage the local Administrator account password on domain joined computers. The local Administrator password is stored as an attribute on the computer object in the directory and access is limited by access control list. This ensures that only authorized users can read the password or request its reset. The passwords are randomly generated by Active Directory and are unique for each enrolled computer. Using PowerShell, LAPS console, or the Active Directory Users & Computers mmc will allow authorized users to retrieve the password for use and reset if necessary.

Installing and operating LAPS is simple. Microsoft provides LAPS free of charge from their support web site. Installation requires Schema Admin and Domain Admin rights. In order to support the storage of the randomly generated credentials, the LAPS installation updates the Active Directory schema to add attributes to the Computer object class. Targeted systems will need to have a Group Policy extension added and have their parent Organizational Unit updated for LAPS usage.

Update the Active Directory Schema

You must populate the Schema Admins group in root domain of the Active Directory Forest with the security principal executing the Update-AdmPwsADSchema PowerShell cmdlet. Running the Update-AdmPwsADSchema PowerShell cmdlet will update the schema of the Active Directory Forest. After updating the schema of the Active Directory Forest, remove the security principal that executed the Update-AdmPwsADSchema PowerShell cmdlet. The Schema Admins group should always remain empty unless membership is required for an update. This process will only be performed once per msiexec.exe /i LAPS.x64.msi ADDLOCAL=Management, Management.UI, Management.PS, Management.ADMX /quiet Active Directory Forest. The schema update will modify the Computer object class adding the ms-Mcs-AdmPwdExpirationTime & ms-Mcs-AdmPwd attribute for local password management.

Allow Computer Objects to Update Password

After the Schema extension is in place, you can designate organizational units for their subordinate computer objects for local Administrator password management.

In order to start managing the clients local Administrator password, you will need to deploy a Group Policy to these systems. This will allow you to establish your local password policy focusing on password complexity, length and age.

Group Policy Object Example Setup

1. Create a new Group Policy object and provide appropriate nomenclature
2. Link it to the target parent Organizational Unit(s)
3. Change the Security Filtering by removing Authenticated Users and replacing with Domain Computers
4. Right click on the GPO name under the Group Policy Objects
5. Select GPO Status
6. Select User Configuration Settings Disabled
7. Under Settings tab for the Group Policy object
8. Right click and select Edit…
9. Select Computer Configuration
10. Select Policies
11. Select Administrative Templates
12. Select LAPS

LAPS Policy Settings

When you configure your GPO for LAPS, these are the settings that will require your attention.

Password Settings

Establish password complexity, length, and age for the policy. This should be enabled and the settings match your Information Security guidelines for passwords.

Setting Default Value

Password Complexity Large letters + small letters + numbers + specials

Password Length 14

Password Age (Days) 30

Name of administrator account to manage

This setting is only used when a custom local administrator account is being used. This should be disabled unless a non-standard local administrator account is being used.

Do not allow password expiration time longer than required by policy

When you enable this setting, planned password expiration longer than password age dictated by “Password Settings” policy is not allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. This policy should be enabled to ensure the password age defined in the Password Settings policy.

Enable local admin password management

Enables management of password for local administrator account. This must be enabled for LAPS to manage the local administrator password. To prevent LAPS from managing the local administrator password, set this to disabled.

Now that the parent organizational unit for the computer objects have been configured for LAPS using Set-AdmPwdComputerSelfPermission and are targeted by LAPS Group Policy, the member workstations and servers need to have the Group Policy extension installed. This can be deployed quietly through your configuration management using the same MSI package that was downloaded and installed the Schema components for LAPS. No user interaction is required for installation.

Allow Access to Read Computer Object Passwords

In order to allow access to the local administrator password stored on the ms-Mcs-AdmPwd attribute on the computer object, a user or group must be granted permission. The PowerShell Cmdlet Set-AdmPwdReadPasswordPermission provides this capability.

Retrieve the Local Administrator Password for a domain bound computer

If a security principal has the rights to retrieve a password, PowerShell can provide password in clear text using Get-AdmPwsPassword or by directly looking at the ms-Mcs-AdmPwd attribute on the computer object.

Reset the Local Administrator Password for a domain bound computer

The Reset-AdmPwdPassword will instruct the target domain joined computer to reset its Local Administrator password. The password change will occur at the next Group Policy update by the target domain bound computer. By default, member workstations and member servers query an available domain controller every 90 minutes. It is also understood that LAPS is dependent on healthy replication for the distribution of the Group Policy object to all domain controllers in the domain of the domain bound computer.

Instruct the Computer to Change its Password during next GPO Update

If you feel a local Administrator password is insecure for whatever reason, you can immediately reset it on the computer’s next query of Group Policy. If you need to expedite the password change, force Group Policy locally on the system.

[cci lang=”xml” escaped=”true” lines=”30” nowrap=”true”]
PS > Reset-AdmPwdPassword -ComputerName WORKSTATION
DistinguishedName Status
—————– ——
CN=WORKSTATION,OU=Workstations,DC=ad,DC=innova,DC=io PasswordReset
[/cci]

Instruct the Computer to Change its Password Eight Hours in the Future

You can also instruct LAPS to reset the password in the near future. An example use case would be to grant an Application Developer local Administrator account access by providing the current password from LAPS then reset the password 8 hours later when that user is done with their work.

[cci lang=”xml” escaped=”true” lines=”30” nowrap=”true”]
PS > Reset-AdmPwdPassword -ComputerName APPSERVER03 -WhenEffective (Get-
Date).AddHours(8)
DistinguishedName Status
—————– ——
CN=WORKSTATION,OU=Workstations,DC=ad,DC=innova,DC=io PasswordReset
[/cci]

You can explore more of the tools used for the management by reviewing the AdmPwd.PS Module cmdlets.

Unlike a normal user object, you have to install the gMSA on the member server. in order to perform that installation you must have the Active Directory PowerShell Module locally installed on the target.

Install Active Directory RSAT Windows Feature

gMSA Installation

Once the member server has the Active Directory PowerShell Module available, you can run the Install-ADServiceAccount cmdlet to install the gMSA and assign it to a Windows Service, App pool, Scheduled Task, or other compatible service. One common issue with installing a gMSA is that the kerberos ticket on computer does not have a reference to the delegation immediately. There are two solutions to this problem. First is the standard Windows administrator trick, reboot. Another solution is the reset the local Kerberos ticket using klist and get a fresh one with the referenced delegation. That example is included here.

gMSA CmdLets

You can explore more of the PowerShell tools used for the management by reviewing the ADServiceAccount cmdlets.

Back