Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

 
 
 
 
 
4.6 Star
(58)
Add to favorites
11/26/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • LAPS Enterprise behind RODC
    2 Posts | Last post July 18, 2016
    • Hi,
      
      i have test LAPS in the Network with any LAPS. I cant change the local Admin Password. The Error Code from the Server behind the RODC is 
      Could not get computer object from AD. Error 0x80070051.
      All other Server are directly connect to the Domain Controller are change the local Admin Password correctly
      
      Please help
      
      Thanks
      Holger
    • Hello,
      LAPS (as any other LDAP client) needs direct connection to writable DC when writing data to AD database. Remember: RODC does not proxy LDAP write requests to writable DC- it just provides referral.
      Therefore, design decision for LAPS client was to connect to writable DC to make sure that LDAP write will succeed.
      Your RODC deployment plan shall coount with this fact and allow LDAP connection to writable DC
      
      Hope this helps,
      Jiri
  • Find-AdmPwdExtendedRights - Incomplete Results
    2 Posts | Last post June 29, 2016
    • Hello,
      
      After some analysis I found that the result given by the cmdlet, in my environment, is not complete.
      Jiri, can you please give your input about this?
      
      https://social.technet.microsoft.com/Forums/windows/en-US/371187e7-c918-4eb8-a9a6-7415d4c34ecb/laps-findadmpwdextendedrights-incomplete-results?forum=winserversecurity
      
      Best Regards,
      Carlos
    • Hello Carlos,
      see my answer in given thread - what you observe is by design
      
      Hope this helps,
      Jiri
  • Could not encrypt password
    3 Posts | Last post June 24, 2016
    • I keep getting these messages
      Could not encrypt password. Error 0x80070057.
      Could not encrypt password. Error 0x80070008.
      
      What permissions need to add?
      
      
      
    • GP settings
      https://gyazo.com/f4fad91b75a49b1f6ba7364d63055ce1
    • I just figured this out myself this morning.  Your GPO where you have '2048' entered needs to be the public key.
      
      Run New-AdmPwdKeyPair and that's where you'll specify 2048.  After that is done you run Get-AdmPwdPublicKey.  The output of that command is what you'll use in your GPO.
      
      The command will output the key with an ellipsis, to be able to see the whole string I used the below command.
      Get-AdmPwdPublicKey -keyid 1 | fl > c:\blah.txt
  • LAPS.E with encryption issue
    3 Posts | Last post June 14, 2016
    • Hi I'm having issues with reading the password created.  The LAPS UI shows the password expiration date but blank password.  The SELF account has read/write for the password and history attributes. I get the below in event viewer on the DC.
      
      Expiration time exists but password empty. This typically happens when service does not have properly configured permissions in AD.
       Please verify configuration and if needed, fix permissions via Set-AdmPwdServiceAccountPermission cmdlet.
       Computer:		XXX
       User:		%computername%
      
      ----------------------------------------------------
      
    • Hello,
      the problem is exactly what event log message says: service account of PDS does not have required permissions to read passwords from AD. You need to run Set-AdmPwdServiceAccountPermission cmdlet to setup permissions for PDS service account properly. Note that if PDS runs under Network Service on member server, you use <pds computername>$ as value of AllowedPrincipals parameter of cmdlet
      
      Hope this helps,
      Jiri
    • Thanks for the computername tip.  Unfortunately I still cannot get it working. I get a "Could not encrypt password. Error 0x8007000d." on the test server.  Still getting the same event on the LAPS server.  Encryption key is input into the GPO.
      
      Expiration time exists but password empty. This typically happens when service does not have properly configured permissions in AD.
       Please verify configuration and if needed, fix permissions via Set-AdmPwdServiceAccountPermission cmdlet.
       Computer:		pme.penton.com
       User:		ksopsecsrv
  • LAPS Enterprise Operations Guide
    1 Posts | Last post June 14, 2016
    • Hi,
      
      I am implementing LAPS Enterprise in our environment.  However I do not see an Operations Guide for LAPS.E.
      
      Will you please let me know where I can find it?
      
      Regards,
      Schontelle
  • update-admpwdschema error
    4 Posts | Last post June 09, 2016
    • PS C:\Users\administrator> Import-module AdmPwd.PS
      PS C:\Users\administrator> Update-AdmPwdADSchema
      
      Operation            DistinguishedName                                                 Status
      ---------            -----------------                                                 ------
      AddSchemaAttribute   cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=X... EntryAlreadyExists
      AddSchemaAttribute   cn=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=X,DC=X... EntryAlreadyExists
      Update-AdmPwdADSchema : The requested attribute does not exist.
      At line:1 char:1
      + Update-AdmPwdADSchema
      + ~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
          + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema
      
      
      First I added attributes to AD Schema with manually which are `Mcs-AdmPwdExpirationTime` and `Mcs-AdmPwd`.But we can`t delete them.We can`t change their name.I have added this attributes to class in AD Schema which are `computer` and `user`.And then there is no porblem for AD replication in RODC.
      So how can i fix it?
      Thank you
    • Hello,
      I understand you have problems running Update-AdmPwdADSchema cmdlet. Error "Attribute does not exist' is usually caused by AD replication issues, but re-running cmdlet after replication completes solves the problem. Not sure if this is your case and replication is fine? Best results are done if you run cmdlet on Schema master
      
      I don't fully understand what you mean by adding attributes manually and how RODC comes into picture. Note that once attributes are added to AD schema, you cannot remove them - you can just defunct then at max
      
      Hope this helps,
      Jiri
    • Hi, 
      First when i try to setup LAPS to DC ,i try to set Import-module AdmPwd.PS.But there was an error.I couldn't fix it.And then i added attributes manually(unfortunately).But then I saw that it caused from PowerShell version.I upgraded Powershell to version 4.0. Now when i try to set Update-AdmPwdADSchema, there was an error too like my previous message.So is there any solution except restore DC to past? Because if we restore DC to past, probably we meet another big problems. 
      Thank you
      
      
    • Hello,
      if you screwed up the AD schema, your best chance is to defunct what you created and start from the scratch using the tools provided with the solution. Hard to tell what's wrong now - I would say that best way forward is to contact MS Premier support to get helped
      
      Hope this helps,
      Jiri
  • Web Portal
    2 Posts | Last post May 24, 2016
    • I’m wanting to setup the web portal, but I am unable to find the files under “6.5.3 Web Port installation.” I looked under https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789#content and GitHub (http://github.com/jformacek/laps-e), but I’m not finding files. From a post of yours a few weeks ago, it appears you pulled the web portal due to feedback that there might be a security concern, but were thinking of publishing it on GitHub and letting admins decide. Could you please publish and provide me a link to download the necessary files?
      
      Thanks in advanced.
    • Hi Scott,
      Compiled Web UI is on github here: https://github.com/jformacek/laps-e/releases - see LAPS.E.WebUI.zip
      
      Note that the UI is good for LAPS.E, but not for LAPS and is not expected to work with LAPS. For LAPS, there is no Web UI at the moment.
      
      BTW security concern was that for Web UI to work properly, you are required to allow KCD from Web to LDAP interface of DCs - and some people believe this is not enough constrained.
      
      Hope this helps,
      Jiri
      
  • None of discovered services seems to be reachable
    3 Posts | Last post May 24, 2016
    • Hi,
      
      I always have the error message wrote in the subject. I found nothing on the PDS server's eventlog. On client I found the following message in the eventlog:
      The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server <PDS_service_account>. The target name used was host/<PDS_server_address>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (<domain>) is different from the client domain (<domain>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
      
      On the PDS server, the identity has been configured properly. The same SPN has been configured on the service account.
      
      If I run the fat UI from the server where PDS service is also running, everything is working fine, but from an other server I always receive the same error message.
      
      Can you help me what could be the issue?
      
      Thank a lot!
      BR
      Gabor
      
    • Already solved. I missed deploying that PDS is running with service account.
      
      Thanks a lot!!!
    • Hello,
      good to hear you made it working. This error almost always means mismatched SPNs and auth issues
      
      Regards,
      Jiri
  • Issues with password read and write permissions
    3 Posts | Last post April 22, 2016
    • Hi
      
      I've got LAPS.E 7.2.1.0 set up in a test lab with a 2012R2 DC (2012R2 function level), a 2012R2 server and a win 7 and 8.1 workstation.
      
      When I delegate access for individuals or groups to be able to read the password, they can't unless I give Full control to the OU. This is the case even if I give full access and then remove just that permission and leave all other permissions enabled.
      Also, no matter the permissions granted I can't do a password reset through Powershell or the UI - it just comes back with access denied.
      
      I can also never get the password to show through the LAPS UI, even when the user has full control over the OU or is a domain admin.
      
      Are there any specific patches / powershell updates needed before LAPS functions properly?
      
      Thanks
    • I've just realised that by adding just the "All Extended Rights" to the read password delegation, the user can then read the password.
      
      I still can't get the password to reset though and the UI still shows access denied when trying to display the password.
    • Hello,
      you're doing delegation a wrong way. Important thing to understand is that in LAPS.E, users retrieve/reset admin passwords via PDS, instead of talking directly with AD. So only PDS service account needs to talk with AD directly.
      Delegation cmdlets for reading / resetting password just set solution specific permissions to computer objecs in AD that are recognized and honored by PDS only.
      
      Jiri
  • Managed Client msi Install Error
    2 Posts | Last post April 22, 2016
    • I originally setup LAPS.E 7.2.1.0 in a test environment and it used the built-in local administrator to management the random password with the following command:
      
         msiexec /i LAPS.Ent.Setup.<platform>.msi PROTECTBUILTINADMIN=true /q
      
      It all worked as expected, but before I deployed in production the decision was made to disable the built-in local administrator and create a new local account, which LAPS.E will target. I am trying the following command:
         msiexec /i LAPS.Ent.Setup.<platform>.msi CUSTOMADMINNAME=LocalAdmin PROTECTBUILTINADMIN=true /q
      
      However, msi installer fails with the following error:
      
      Log Name:      Application
      Source:        MsiInstaller
      Date:          4/21/2016 5:59:18 PM
      Event ID:      11708
      Task Category: None
      Level:         Information
      Keywords:      Classic
      Description: Product: Local Admin Password Solution - Enterprise -- Installation failed.
      
      Any ideas on why I am receiving this error? Also I am assuming when I get this command working the installation will create a local account called LocalAdmin and I don’t need to create via script or some other method, correct?
    • Hello,
      can you run setup again with additional parameter /log <fogfile> and send me the log to admpwd (at) hotmail.com?
      
      Thanks,
      Jiri
21 - 30 of 182 Items