Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

 
 
 
 
 
4.6 Star
(58)
Add to favorites
11/26/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Problem with set-admpwdauditing
    1 Posts | Last post December 12, 2018
    • Hi, 
      
      I am getting an error always when I run Set-AdmPwdAuditing -OrgUnit TestOU AuditedPrincipals:Everyone command: 
      Set-AdmPwdAuditing : Object reference not set to an instance of an object.
      At line:1 char:1
      + Set-AdmPwdAuditing -OrgUnit TestOU AuditedPrincipals:Everyone
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Set-AdmPwdAuditing], NullReferenceException
          + FullyQualifiedErrorId : System.NullReferenceException,AdmPwd.PS.SetAuditing
      
      Maybe someone knows how to fix it? Thanks! 
  • CSE AdmPwd problem
    1 Posts | Last post August 21, 2018
    • Hi,
      
      We have application problem of the CSE "AdmPwd". So, LAPS password never change except if doing a gpupdate /force manually...
      
      Do you know how to force "AdmPwd" to be applied automatically ?
      
      Thanks.  
      
  • Error when importing admpwd module
    1 Posts | Last post July 04, 2018
    • Hi all,
      
      Just tried to install import the LAPS module into powershell and i get the following error, can anyone shed some light.
      
      import-module : could not load file or assembly 
      (location of admpwd.dll) or one of its dependencies.
      Operation is not supported. (Exception from HRSESULT: 0x80131515)
  • admpwd reg key not injecting
    1 Posts | Last post December 07, 2017
    • Hello I got a little problem with LAPS ( Local administrator Password Solution)
      
      Most computers that have laps installed are fine but some that have laps deployed are not getting the reg key that trigger the password settings :
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd
      I have tried re-installing but it is still not installing that reg key
      Any suggestions would be great
      
      This causes no password at all to be generated
  • Get Object doesnt exist in LAPS UI when I search
    1 Posts | Last post October 24, 2017
    • If I search for a computer in the Computer container it finds it but since I applied everything to a new OU called LAPS OU, whenever the computers are in there I get the Object doesn't exist error. Please help, I really would like to get this tested and start using it in production. Its a great too.
      
      Thanks in advance.
  • Fat Client Only Working With DN
    7 Posts | Last post October 18, 2017
    • I have this solution basically working except that when I use the GUI and type the computer name, it doesn't work as shown in the document screen shots.
      It says the computer name is ambiguous and want the distinguished name instead.
      Our DNs are very long due to long OU paths, so this is very inconvenient and usually not worth the effort.
      
      What needs to done to make it work with the short computer name "PCName" instead of "CN=PCNAME,OU=Java8,OU=Sales,OU=West,OU=Standard Desktops,OU=Office Desktops,OU=Workstations,DC=Domain,DC=com"?
    • I think this is likely related to an OU that has "computer" objects with the same name.  These objects are not the regular computer object, but they are objects used for vPro AMT provisioning.
      If this is the case, the solution would be to configure this application to ignore that OU or else block access to that OU so that it can't see the objects inside and therefore there will only be one object it can see with a particular computer name and the message: "Computer name ambiguous, use DN instead of computer name" would go away.
      How do you block or ignore a specific OU so that it doesn't or cannot search for computers there?
    • Hello,
      yes, as you found out, computer name must be unique to be able to use short name.
      
      Ability to ignore certain OUs is not currently implemented in the solution, however can be done as customization for you for a small fee; let me know if you're interested
      
      Regards,
      Jiri
    • Instead of customizing the application, wouldn't there be a way to adjust the permissions on the OU so that the application is not able to browse through and see the other object?
    • Hello,
      not easily - solution looks for computer in Global Catalog. Maybe you can play with (deny) permissions, but I haven't done it before so not in position to recommend permissions setup that's guaranteed to work.
      
      Regards,
      Jiri
    • How about setting the tool to search from a specific OU down instead of from the root of the domain?
      How can I set the tool to search for computers from an OU called "Workstations" and the sub OUs below that OU instead from the domain root?  It make the search faster (doesn't wast time browsing through user account OUs and other unrelated OUs) and would also solve this issue at the same time.
    • Any update on this? I am running into the same issue of AMT devices with the same "computer" name and it being ambiguous. It's not realistic for me to expect my helpdesk to memorize the OU structure and be able to enter a DN to find a PC
  • 555-555-0199@example.com
    1 Posts | Last post October 13, 2017
    • 555-555-0199@example.com
  • 使用GPO修改在AD下的每台電腦本機administrator的密碼但密碼欄位是反白
    2 Posts | Last post June 28, 2017
    •  之前我有使用
      
      How to Change a Local Administrator Password with Group Policy
      
      http://social.technet.microsoft.com/wiki/contents/articles/4683.how-to-change-a-local-administrator-password-with-group-policy.aspx
      
      方式做設定是可以達到我的要求
      
      但我有勾選到使用者不能變更密碼
      
      造成該電腦退出網域後administrator密碼無法作更改
      
      但我一樣照
      
      How to Change a Local Administrator Password with Group Policy
      
      http://social.technet.microsoft.com/wiki/contents/articles/4683.how-to-change-a-local-administrator-password-with-group-policy.aspx
      
      新增設定,但發現設定密碼欄未是反白無法輸入,請問是有動到什麼地方所造成的呢???
      
      以上謝謝
      
      
      
    • https://social.technet.microsoft.com/Forums/zh-TW/6f80b131-e601-42b4-86be-77a3aa74ef9a/gpoadadministrator?forum=winserver2012zhtw
      
  • update schema error
    7 Posts | Last post May 09, 2017
    • Hi, when i go to extend the schema, i get this error
      
      Update-AdmPwdADSchema : An operation error occurred.
      At line:1 char:1
      + Update-AdmPwdADSchema
      + ~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
          + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema
      
      ive seen this around but no solutions for it.
      
      im on server 2012 r2.
      
    • HI Ryan,
      What's version of AdmPwd.PS.dll in your installation?
      
      Thanks,
      Jiri
    • Hi Jira, 
      it says 6.2.0.0
      the AdmPwd.PS.psd1 data file says the version of the module is 5.0.0.0
    • Hello Ryan,
      this kind of error may occur if cmdlet has problem reaching schema master role. Tried to run directly on schema master?
      This version is from MS Oficial release of LAPS - so you may also want to open a Premier Support ticket, if your company has a PSS contract in place.
      
      Jiri
    • well thats unfortunate. im already running the cmdlet on the only server which has all fsmo roles. and we do not have a pss contract with ms. 
      
      am I out of luck?
    • Hello Ryan,
      apologies for slow answer.
      I could help remotely and troubleshoot the issue, if I had remote access to your environment. Also, I cannot do it completely for free - small service fee via PayPal would help here. Is this way forward for you?
      
      Best regards,
      Jiri
    • Clearly must be a permissions issue; had the SAME exact problem, same environment. I temporarily elevated my non-admin account to Schema Admins, Domain Admins and Enterprise Admins and then tried running the Update-AdmPwdADSchema cmdlet from another Domain Controller that doesn't hold any of the FSMO roles and it successfully applied. /shrug
  • Getting insufficient access rights
    4 Posts | Last post December 07, 2016
    • Hi there,
      
      I've setup a cloned testlab of our 2 DC's and gone through yours and others guides for setting up however its just not working and if I try to set a new expiration time via GUI or Powershell i get the following:
      
      Reset-AdmPwdPassword -ComputerName IT000001 -WhenEffective "22/11/2016 10:13:00"
      Reset-AdmPwdPassword : The user has insufficient access rights.
      
      I've rebuilt my test lab twice and gone over the AD schema setup again and again and still no luck.  I've run all the commands against the Domain server running all the FSMO roles to make sure and the -AllowedPrincipals was set against the Domain Admins group.
      
      Running Powershell with Run as administrator logged in as domain admin and if I open ADUC I can edit the attribute in there manually. 
      
      Any suggestions? or guide to the granular permissions thats beeing set but some of the commands?
      
      Thanks in advance.
      
      Mark
      
    • Well, hard to say without seeing your lab. Definitely, permission setup was not performed correctly. Looking to your environment would be useful to be able to help here..
      
      Jiri
    • Hi Jiri,
      What't the best way to contact you to perhaps take a look?
      Many thanks
      Mark
    • Hello Mark,
      feel free to ping me at admpwd(at)hotmail.com
      
      Thanks,
      Jiri
1 - 10 of 182 Items