LAPS and Nano Server

Some of you know that the new Windows Server 2016 "Nano Server" deployment option will not support Group Policy, and may be asking how you are expected to manage local administrator's password on it.

Good news is that we're working on the implementation of the Local Administrator Password Solution (LAPS) client for Nano server, so that managing local administrator's passwords will be possible there, too!

This article describes an early version of LAPS client for Nano server, so if you are interested, read further to find out how to download, install and test.

LAPS client for Nano Server has different implementation than the "classic" LAPS client:

• Rather than GPO Client Side Extension (CSE), LAPS client for Nano Server is implemented as a Windows Service
• Configuration parameters (password complexity, age, etc.) are still taken from Windows registry, but are distributed there by the PowerShell Desired State Configuration (DSC), rather than Group Policy.

Apart from this, we kept the implementation aligned with the "classic" LAPS, so you can still:

• Find the configuration parameters at the same place in registry (HKLM\Software\Policies\Microsoft Services\AdmPwd)
• See event source AdmPwd in the Application log, with the same Event IDs and messages

What to do if you want to test LAPS client for Nano Server in your environment?

Update 23.11.2016

PS Gallery was updated with RTM version of LAPS Client for Nano. Tested on Nano server with October 2016 Cumulative Update.

Current version is 1.0.0.5.

Steps below article below was slightly modified so as it applies to RTM version.

Enjoy,

Jiri

Prerequisites

• Solution was tested on TP5 of Nano server, and is not expected to work on earlier builds of Nano
• Solution only works on Nano server - it is not designed to run on standard Windows 2016 server, or on earlier versions of Windows
• Solution depends on PowerShell DSC. Depending on where you will test it, you may need to install PowerShell DSC
  • Azure VM provisioned from Nano RTM image in Azure VM gallery needs this
  • Installation commands for your reference:

Save-Module -Path "$Env:ProgramFiles\WindowsPowerShell\Modules\" -Name NanoServerPackage -MinimumVersion 1.0.1.0 Import-PackageProvider NanoServerPackage Find-NanoServerPackage Microsoft-NanoServer-DSC-Package | Install-NanoServerPackage

• Solution expects that Nano server is joined to domain - join it via djoin prior installing
• For remote management using GUI tools (event viewer, etc.), you may want to enable firewall rules via Enable-NetFirewallRule
• Solution expects AD permissions delegation the same as for "classic" LAPS client - perform the necessary delegations via Set-AdmPwdComputerSelfPermission cmdlet, if needed

Important: Solution is still work in progress - the same as Nano server is. So expect updated versions from time to time. Final code will be released after Nano is finished

Installation

We published module LAPS.Nano.DSC to PowerShell Gallery. Simply connect to your Nano server, find it and install it:

Enter-PSSession -ComputerName MyNanoServerFind-Module LAPS.Nano.DSC | Install-Module

Module gets installed to %ProgramFiles%\WindowsPowerShell\Modules\LAPS.Nano.DSC\<version>

What gets installed?

How to install

All installation tasks are done directly on Nano server.

After LAPS.Nano.DSC module is installed, you first need to create configuration data in registry. You are expected to take sample configuration installed with module, modify it if necessary, and create .mof file:

Enter-PSSession -ComputerName MyNanoServer&"$env:ProgramFiles\WindowsPowerShell\Modules\LAPS.Nano.DSC\<version>\Config\LAPS.Nano.DSC.Config.ps1"

Note: Replace <version> with actual version of DSC module

localhost.mof is created in LAPS_Nano_Config subfolder of current folder (in my case, it's C:\Temp), and it's ready to be applied to local machine:

Start-DscConfiguration -Wait -Force -Path C:\Temp\LAPS_Nano_Config -Verbose

After configuration is applied, you should see configuration created in registry of Nano server:

Then create configuration for LAPS client installation:

&"$env:ProgramFiles\WindowsPowerShell\Modules\LAPS.Nano.DSC\<version>\Config\LAPS.Nano.DSC.Install.ps1"

localhost.mof is created in LAPS_Nano_Install subfolder of current folder (in my case, it's C:\Temp), and it's ready to be applied to local machine:

Start-DscConfiguration -Wait -Force -Path C:\Temp\LAPS_Nano_Install -Verbose

Installation is performed by DSC resource cLapsNanoInstall. It performs the following tasks:

• Copies VC++ runtime to %SystemRoot%\System32
• Copies LAPS client binaries to %ProgramFiles%\AdmPwd\CSE\
• Registers ETW manifest for event logging
• Installs LAPS.Nano Windows Service
• Starts the service

After command finishes, you should see LAPS.Nano service installed and running:

After 20 mins (default password management cycle interval), you should see events from source = AdmPwd in Application Event Log - sample configuration provided turns on detailed logging.

And then you should be able to see password of local Administrator account via LAPS management tools, and use it for logon...

Frequently asked questions

Q: What if you release new version of LAPS.Nano client? How do I upgrade?

A: Just download new version of LAPS.Nano.DSC module, create installation MOF file with Ensure = 'Present' as shown above, and apply updated configuration. DSC resource cLapsNanoInstall upgrades LAPS client to latest version

Q: I uninstalled LAPS client, but VC++ runtime DLLs weren't removed. Is this expected?

A: Yes. Currently, we don't uninstall VC++ runtime during LAPS client uninstall

(more Q/A to be added if they're coming)

Looking forward for your feedback!