The issue of managing built-in accounts on the domain computers is one of the most important security aspects requiring attention of a system administrator. Indeed, you shouldn’t allow using the same local administrator passwords on all computers. There are a lot of approaches to the management of local administrator accounts in a domain, from disabling them completely (not too convenient) to managing using GPO logon scripts, or creating your own systems of built-in account and password management.
Earlier, one of the popular means to change local administrator passwords on a PC was using the Group Policy Preferences (GPP). However, later a serious vulnerability was found in this system, which allows any user to decipher a password. (We have told about it in the article Why You Shouldn’t Set Passwords Using Group Policy Preferences) In May, 2014, Microsoft released a security update (MS14-025 – KB 2962486), which completely disabled the feature of setting local user password using GPP.
Today we’ll consider one of the techniques of managing local administrator passwords in a domain in more detail. This refers to AdmPwd (the new name is LAPS — Local admin password management solution).
Local Administrator Password Solution (LAPS)
LAPS allows to centrally control and manage administrator passwords on all domain computers and store the password data directly in Active Directory objects (Computer).
LAPS function is based on Group Policy Client Side Extension (CSE) and generates and sets unique local administrator password (SID — 500) on each computer in a domain. A password is automatically changed in a certain period of time (by default, every 30 days). The value of the current password is stored in the confidential attribute of the computer accounts in Active Directory, and the rights to view the attribute contents are regulated by AD security groups.
You can download LAPS and its documentation here: https://www.microsoft.com/en-us/download/details.aspx?id=46899
LAPS distribution is available in two versions of installation MSI files: for 32-bit (LAPS.x86.msi) and 64-bit (LAPS.x64.msi) systems.
Management instrumentation is installed on the administrator machine, and the client part is installed on servers and PCs on which we plan to manage a local administrator password.
Run the installation of the tool on the administrator machine, having checked all components to be installed. (At least, you need .Net Framework 4.0.) The package consists of two subsystems:
- AdmPwd GPO Extension is the executable part of LAPS
- And management components:
- Fat client UI is a tool to view a password
- PowerShell module to manage LAPS
- GPO Editor templates are the administrative templates for the GPO Editor
LAPS setup is very easy and shouldn’t cause any problems.
Active Directory Preparation
Prior to deploying LAPS infrastructure, you have to extend the Active Directory schema to add two new attributes of Computer objects to it.
The attribute ms-MCS-AdmPwd contains the local administrator password as plain text
The attribute ms-MCS-AdmPwdExpirationTime: keeps the date when the password expires
To extend the schema, open PowerShell and import Admpwd.ps module:
Then run the extension of Active Directory schema (you’ll need Schema Admin privileges):
As a result, two new attributes are added to the Computer class.
Set the Privileges for the Attributes
The administrator password is stored in Active Directory attributes as plain text, the access to it is restricted by confidential AD attributes (supported since Windows 2003). ms-MCS-AdmPwd attribute, in which the password is stored, can be read by anybody with «All Extended Rights» privilege. Users and groups having this privilege can read any confidential attributes, including ms-MCS-AdmPwd. Since we don’t want anybody but for the domain administrators to view computer passwords, we have to limit the list of groups with read permissions on these attributes.
Using Find-AdmPwdExtendedRights cmdlet, you can get the list of accounts and groups having these permissions on the OU with the name Desktops:
Find-AdmPwdExtendedRights -Identity Desktops | Format-Table ExtendedRightHolders
As we can see, only Domain Admins group has the read permissions on the confidential attributes.
If you need to deny access to read these attributes for certain groups or users, do the following:
- Open ADSIEdit and connect to Default naming context.
- Unfold the tree, find the necessary OU (in our example, it is Desktops), right-click it and select Properties.
- Then go to Security tab, and click Advanced. By clicking Add in Select Principal section, specify the name of the group/user, you want to restrict rights for (e.g., domain\Support Team).
- Uncheck All extended rights and save the changes.
Do the same for all groups, for which you want to forbid viewing the password.
Set Permissions for the Computers
Then you need to give machine accounts the permissions to modify their own attributes (SELF), since the values of ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime are changed under the account of the computer itself. Use another cmdlet Set-AdmPwdComputerSelfPermission.
To give the computers in Desktops OU the permissions to update the extended attributes, run this command:
Set User Permissions
The next step is to give users and groups the permissions to read passwords of the local domain administrator accounts, stored in Active Directory. For example, we want to give the members of AdmPwd group read password permissions:
Set-AdmPwdReadPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd
In addition, you can give a certain group of users the permission to reset computer passwords: (In our example, we give it to the same group — AdmPwd.)
Set-AdmPwdResetPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd
How to Configure LAPS Group Policy
Then you have to create a new GPO object and assign it to the OU containing the computers, on which we want to manage local administrator passwords.
Create a policy with the name Password_Administrador_Local using the following command:
Register-AdmPwdWithGPO -GpoIdentity: Password_Administrador_Local
Open this policy in the GPO editor and configure it. To do it, go to the following GPO section: Computer Configuration -> Administrative Templates -> LAPS
As we can see, there are 4 customizable settings. Configure them as shown below:
- Enable local admin password management: Enabled
- Password Settings: Enabled – the policy sets the complexity, length and age of the password
- Complexity: Large letters, small letters, numbers, specials
- Length: 12 characters
- Age: 30 days
- Name of administrator account to manage: Not Configured (by default, a user password is changed from SID -500)
- Do not allow password expiration time longer than required by policy: Enabled
Assign Password_Administrador_Local policy to Desktops OU.
How to Install LAPS to Client Computers
After you configured the GPO, it’s time to install LAPS to client computers. The LAPS client can be distributed in different ways: manually, or using an SCCM task, a logon script, etc. In our example, we’ll install the MSI file using the feature of MSI package installation with group policies (GPSI).
- In the network directory, create a shared folder and copy LAPS distributions here.
- Create a new policy and in Computer Configuration ->Policies ->Software Settings -> Software Installation create a task to install the package
You only have to assign a policy to the necessary OU, and after the restart, the LAPS client has to be installed on all computers in the target OU.
When changing the administrator password using LAPS, it is registered in the Application log (Event ID:12, Source: AdmPwd).
The event of saving the password is also registered (Event ID:13, Source: AdmPwd).
This is what the new object of Computer type attributes look like.
Using LAPS to View Passwords
LAPS graphic interface (GUI) has to be installed on the administrator computers.
If you start the tool and specify the computer name, you can view the local administrator password and its expiration date.
Password expiration date can be set manually, or leave this field empty, and by clicking Set specify that the password has already expired.
Also, you can get the password using PowerShell:
Get-AdmPwdPassword -ComputerName <computername>
LAPS (AdmPwd) can be recommended as a simple solution for password management system on the domain computers with the feature of fine grained password management on the computers from different OUs. The passwords are stored in Active Directory attributes as plain text, however, the built-in AD tools allow to restrict access to them.