Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

 
 
 
 
 
4.6 Star
(58)
Add to favorites
11/26/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • LAPS and Network Traffic
    2 Posts | Last post October 23, 2016
    • I have implemented this solution before but I was asked a very good question which I did not consider as part of my LAPS implementation and that related to NETWORK traffic generated by SCHEMA change..
      
      Are there any investigation around this that I can use in my conversation with regards To LAPS
      
      regards
      Wayne
    • Hello,
      best way is to measure for yourself. I always say that network imnpact is low - just 2 attributes added: compare this with schema changes coming with Exchange server; but best answer is given by a measurement. Please share your results if you decide to merasure
      
      Best regards,
      Jiri
  • Windows Server 2016
    2 Posts | Last post October 23, 2016
    • Hi,
      
      Is it possible that in the future your solution will be a feature/role of Windows Server 2016 or Windows Server 2016 Active Directory?
      
      Thanks!
      Gabor
    • Hello,
      imho, this is unlikely - but you never know...
      
      Regards,
      Jiri
  • Questions
    1 Posts | Last post October 18, 2016
    • Hi Jiri, looking to implement LAPSE in our environment; was wondering a few things:
      
      1)	The operations guide provided for the “regular” version; does it apply also to LAPSE? Anything that doesn’t apply?
      2)	Saw there was a new release of the “regular” version – new build available for LAPSE as well? 
      3)	What’s the best way to follow development of the LAPSE project? The github? https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789#content ?
      
      Sent an email over to laps-e@outlook.com but haven't heard back. Thanks!
      
  • Access denied
    1 Posts | Last post September 27, 2016
    • Good afternoon!
      There was such an error
      Get-AdmPwdPassword : Access denied
      At line:1 char:89
      + ... ys,DC=com" | Get-AdmPwdPassword -ComputerName {$_.Name}
      +                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Get-AdmPwdPassword], FaultException`1
          + FullyQualifiedErrorId : System.ServiceModel.FaultException`1[[AdmPwd.PDSUtils.PdsProxy.ServiceFault, AdmPwd.Serv
         iceUtils, Version=7.2.1.0, Culture=neutral, PublicKeyToken=null]],AdmPwd.PS.GetPassword
      
      Previously, these problems were not
      What can I try?
  • Problem with AdmPwdADAuditing
    5 Posts | Last post August 23, 2016
    • On Windows 2008 R2 SP1 server with PowerShell 4.0, I've got error messages on AdmPwdADAuditing command. The command is the folllowing : Set-AdmPwdADAuditing -OrgUnit:TEST-Password -AuditedPrincipals:everyone
      The error messages are : Object not found. At line:1 char:1 + CategoryInfo    : Not specified Set-AdmPwdADAuditing, Exception. 
      I tried also the same with -Identity instead of -OrgUnit. The result is the same. 
      TEST-Password is an OU in Active Directory. containing a list of computers. 
      Did you already get this kind of problem ? 
      Thanks and best regards. 
      Patrick.
    • Hello,
      I would say that you're running the command without having LAPS schema in place - do you?
      
      Hope this helps,
      Jiri
    • Hello Jiri, no ADMPWD schema is in place in Active Directory if I understand well your remark. Best regards. Patrick.
      
      
    • Hi Patrick,
      cmdlet is not expected to work when ADMPWD schema was not imported to AD. Reason is that cmdlet sets up SACL that includes ADMPWD attributes, so it has nothing to do when attributes aren't there
      
      Hope this helps,
      Jiri
    • Hello Jiri, I am sorry, my answer was not so clear enough. ADMPWD schema is already imported in our Active Directory. In replying "NO" I answered to your direct question. So, implementation is in place. ADMPWD is working well. The only part we would like to implement the AD auditing. 
  • Customize password character used
    1 Posts | Last post August 19, 2016
    • Just a suggestion. Hope you can update with new version to allow customizing the password character used. Example, character such as i and l is similar and difficult to distinguish so the admin may want to remove them from the password generated. Current version doesn't allow this. Hope new version is able to do allow admin to customize the character they want to include or exclude. Keep up the good work.
  • LAPS Enterprise Password Decryption Service
    2 Posts | Last post August 16, 2016
    • I have issue installing Password Decyrption Service Feature on my DC. 
      It has a error ended prematurely. Anybody has any issue on this and how to fix this.
       
    • Hello,
      would be good if you were more descriptive about the error you're observing. Also, make sure you have .NET Framework 4.5 installed on the server
      
      Hope this helps,
      Jiri
  • Could not write changed password
    2 Posts | Last post July 27, 2016
    • Could not write changed password to AD. Error 0x80070032.
      
      Prompt what to check? plz
    • Hello Sergey,
      it's LDAP_INSUFFICIENT_RIGHTS error - check permissions for SELF account; use Set-AdmPwdComputerSelfPermission to fix it
      
      Hope this helps,
      Jiri
  • Clear ms-Mcs-AdmPwdHistory
    2 Posts | Last post July 19, 2016
    • Hi,
      
      is it possible to clear the table in ms-Mcs-AdmPwdHistory?
      
      Regards
      Holger
    • Hi Holger,
      yes. Use Update-AdmPwdPasswordHistory cmdlet.Gives 2 options:
        - keep last nnn password
        - keep passwords newer than xxx date
      
      You're expected to have read/write permission for ms-Mcs-AdmPwdHistory AD attribute for this task
      
      Hope this helps,
      Jiri
  • Hi,
    5 Posts | Last post July 18, 2016
    • PDS is listening on port 61184 via tcp. From the documentation, I understand the port is configurable but how to change this? I can't find the instruction on the documentation. Appreciate your guidance asap. Thanks. 
    • Hello,
      update port number in AdmPwd.Service.exe.config and restart the service. Note that port number is part of SRV revcord registerd by PDS in DNS, so there may be latency before SRV record expires in client's DNS cache.
      
      Original:
                <baseAddresses>
                  <add baseAddress="net.tcp://localhost:61184/AdmPwdService" />
                </baseAddresses>
      Example of port number changed to 50000:
                <baseAddresses>
                  <add baseAddress="net.tcp://localhost:50000/AdmPwdService" />
                </baseAddresses>
      
      Hope this helps,
      Jiri
    • Jiri thanks for the reply. 
      
      I have another issue. Hope you can advise me. I have done the Fat UI and AD integration and every time I launch the UI from the context menu I will get a security warning prompt. I understand you can add the domain to the local intranet zone to prevent this msg prompt which I have tested on another server it's working. The problem I have is i have another server that's installed with server core. There's no IE  installed so I'm not able to set this intranet zone. I have also tried to add in the intranet zone thru registry key but it doesn't work. Do you have any advise for me to overcome this?
    • Hi Jiri, I also discover something. Not sure if this is by design or a bug. When I assign extended rights to a group example group A. All the members in the group works fine. If I add another group B as members into group A, the extended rights don't work for members in group B. Don't extended rights works for members in group of groups? Pardon my English. It's not my first language. 
    • Hello,
      RE IE zone management: This topic is not spcific to LAPS and I don't have solution in my sleeve. Please ask ServerCore community.
      
      RE nested group: LAPS.E access check is expected to work with nested groups, provided you respect specifics (especially in multi-domain deployment and domian local groups and PDS in different domain than user)
      
      Hope this helps,
      Jiri
11 - 20 of 182 Items