Main menu (IT)

LAPS

LAPS – Local Administrator Password Solution

Background

Local Administrator Password Solution (LAPS) is a Microsoft product that manages the local administrator password and stores it in Active Directory (AD). This solution automatically updates the password on a routine basis. The Microsoft Infrastructure (MI) team has implemented the LAPS schema extensions and created a default set of permissions to retrieve a password stored in AD.

Use of LAPS by Delegated OU customers is required. LAPS is a critical security component that protects computers and  the CSUN network. It is the Delegated OU customer’s responsibility to enable and configure LAPS for client computers, and manage access to the stored passwords. The customer’s side of the LAPS implementation consists of three parts, a client-side extension (CSE), Group Policy Object (GPO) administrative template files (ADMX files) and a GPO to apply desired LAPS settings on computers, and administrative tools used to retrieve the stored password.

How to Implement LAPS

Download the LAPS installation media

  1. Deploy LAPS CSE (client side extensions) to all managed computers.. un setup and choose AdmPwd GPO Extension.  It is not necessary to install any other component on the managed computer. Using the installer has the benefit of the program being visible in add/remove programs.
    1. SCCM application deployment

                                                         i.      \Software Library\Overview\Application Management\Applications\Public-Centrally Managed\Microsoft\Microsoft LAPS Extension 6.2

  1. Deploy LAPS UI (administrator console) to your computer.
    1. SCCM application deployment

                                                         i.      \Software Library\Overview\Application Management\Applications\Public-Centrally Managed\Microsoft\Microsoft LAPS UI 6.2

  1. Deploy GPO "IT-LAPS" to your OU.
  2. Create a ticket requesting access to LAPS password
    1. Provide OU
    2. Provide AD group that contains your a_accounts

Retrieving a Password

The password can be retrieved using three common tools:

  • Active Directory Users and Computers (ADUC),
  • PowerShell
  • Any LDAP Client

If a user without permission tries to view a password they will simply see the value “<not set>”.

ADUC Password Retrieval

Using ADUC, open the target computer object, click the attribute tab, scroll through the attributes and find the field ms-Mcs-AdmPwd.

PowerShell and Fat Client Installation

To use PowerShell run setup and install the PowerShell CmdLets

Powershell Password Retrieval

To retrieve a password using PowerShell, issue the following command:

Get-AdmPwdPassword –ComputerName <ComputerName>

The password will be one of the returned attributes, it will be blank if the user does not have permission to read the password.

 

FAQs

Where can I find more information?

LAPS is a Microsoft solution and you can find more at https://technet.microsoft.com/en-us/mt227395.aspx.

Microsoft provides risk analysis related to LAPS here: https://docs.microsoft.com/archive/blogs/askpfeplat/local-administrator-password-solution-laps-implementation-hints-and-security-nerd-commentary-including-mini-threat-model/

Is there an MS Teams for this?

We have an MS TEAMS working group (SCCM -SG-CAMPUS-OSD) with documentation.