LAPS and MS14-025

  • Article

This short post is to remind you few things regarding coexistence of LAPS and local account password management via Group Policy Preferences (GPP) after installing hotfix 2928120  

Management of local account passwords via GPP was not best thing to do from security perspective, so this functionality was disabled by hotfix mentioned above.

However, installation of hotfix just disbles ability of making changes to relevant parts of GPP, but keeps current settings in place, so as not to disrupt  processes that may be in place and rely on settings distributed by GPP.

When installing LAPS into the environment, people may forgot to remove local administrator password management settings from GPP, thinking it was removed by installation of the hotfix mentioned above. This results in having two independent processes managing password of local administrator account and invalidates password that LAPS stores in AD in computer account.

So when installing LAPS, please always make sure that local administrator password management settings are removed from GPP prior deploying LAPS.

Comments

  • Anonymous
    June 19, 2015
    Hi Jiri, I'm trying to get some more information about some of the internals of LAPS. Is there a contact point or forum where this is best able to be discussed?

  • Anonymous
    July 01, 2015
    I have deployed and configured LAPS on my test environment and LAPS UI can't find my computer name and  cmdlet Get-AdmPwdPassword –ComputerName testvm1 doesn't display password either.  Any idea what might be causing this problem? I followed official LAPS operations guide during the LAPS deployment and all permissions are set correctly.

  • Anonymous
    July 16, 2015
    As of the new release dated July 7th, version 6.1, the Find-AdmPwdExtendedrights feature no longer works.  Any attempt, with any value, returns an error : "Find-AdmPwdExtendedrights : No such object found".

  • Anonymous
    July 17, 2015
    @Chris: what are you interested in? I believe that quite a lot can be found in tech specs document downloadable with LAPS. Also, at aka.ms/admpwd is predecessor of LAPS, along with source code, so you can see yourself @Luu: Try updated version 6.0.1. We fixed bug that caused computers not to be found in forests with multiple domain trees @Dave: This was behavior of 6.0.0 when you ran cmdlet in forest that did not contain schema update for LAPS. We added switch in 6.0.1 that allows this. Are you sure you run 6.0.1 with switch? Jiri

  • Anonymous
    July 20, 2015
    Jiri, thanks for your response.  I was not a member of the schema admins group.  Once added. the Find-AdmPwdExtendedrights feature worked correctly.  Sorry about the oversight on my part.  The documentation does note that requirement.

  • Anonymous
    October 02, 2015
    When install LAPS on the management machine, is the LAPS GPO extension local, or should i see it in the domain

  • Anonymous
    November 09, 2015
    The comment has been removed

  • Anonymous
    February 26, 2016
    What are the changes in LAPS version 6.0.0. and 6.1?  Are these changes major differences?

    • Anonymous
      March 24, 2016
      Hi Dee,please see dedicated article posted to this blog - summarizes changesRegards,Jiri

  • Anonymous
    March 22, 2016
    Hi Jiri, I have multiple child domain and each child domain got OU structure identical. For example Servers OU named Servers. So when I run Find-AdmPwdExtendedRights -identity Servers from child domain, it gives me error "find-admpwdextendedrights : More than one object found, search using distinguishedName instead" since it finds identical OU from each child domain within forest. Input of DN does not work either.

    • Anonymous
      March 24, 2016
      Hi Krish,way with passing DN is expected to work. Can you share more details why it does not work and what you're observing?Thanks,Jiri
      • Anonymous
        September 28, 2016
        The comment has been removed

  • Anonymous
    February 03, 2017
    Hello Jiri,I have setup LAPS in our environment. -I can see the password on Attribute.-we are not using the built in local admin account-Group Policy is setup correctly.-I checked the access and all setup correctly.The issue here is the password generated by LAPS is not working on the client machines.[Aaron Margosis] In what way is it not working? Is the account not allowed to log on, or does it say the password is wrong when you try?

  • Anonymous
    August 21, 2017
    Hi Jiri, I want to know whether there is any central management or interface which tells us about the no. of system on which it is installed and not, just like WSUS interface. We want to know about the details in a centrally managed interface. Is there anything or so??

    • Anonymous
      August 21, 2017
      Jiri wrote a few lines of code that utilizes his S.DS.P PowerShell module ( https://github.com/jformacek/S.DS.P ) that will return the number of computers that are Enrolled and Not Enrolled in LAPS. Unfortunately there is no centrally managed interface. Here is the code:Import-Module S.DS.P$searchBase="dc=mydomain,dc=com"$Server="mydomain.com"$enrolledComputers=Find-LdapObject -searchFilter "(&(objectClass=computer)(ms-MCS-AdmPwdExpirationTime=))" -searchBase $searchBase -LdapServer $Server$nonEnrolledComputers=Find-LdapObject -searchFilter "(&(objectClass=computer)(!(ms-MCS-AdmPwdExpirationTime=)))" -searchBase $searchBase -LdapServer $Server"Enrolled: $($enrolledComputers.Count)""Not enrolled: $($nonEnrolledComputers.Count)"

  • Anonymous
    April 26, 2018
    Hi Guys, what if i have got couple of local administrator account on client. can LAPS will be smart enough to generate random pass for all local admin account passwords.[Aaron Margosis] LAPS manages one local account. There's no real value in having more than one administrative local account. There's no separation between accounts. Each account can take over any other local account.