Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

 
 
 
 
 
4.6 Star
(58)
Add to favorites
11/26/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Get-AdmPwdPassword : Object reference not set to an instance of an object.
    3 Posts | Last post April 17, 2016
    • Hi, 
      
      With the version 7.2.1.0 I get this erro in powershell:
      
      PS C:\Windows\system32> Get-AdmPwdPassword –ComputerName test-1
      Get-AdmPwdPassword : Object reference not set to an instance of an object.
      At line:1 char:1
      + Get-AdmPwdPassword –ComputerName test-1
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Get-AdmPwdPassword], FaultException
          + FullyQualifiedErrorId : System.ServiceModel.FaultException,AdmPwd.PS.GetPassword
      
      Same in the UI: Object reference not set to an instance of an object.
      
      Any tips?
      
      Thanks,
      Castis
    • Hello,
      I'll look at it and give update shortly. Does it occur for just one machine or all of them?
      
      Thanks,
      Jiri
    • Hi Jiri,
      
      This occurs in all machines I tested (WinServer 2012R2, Win10 and Win8.1).
      If you need any other information please let me know.
      
      Best Regards,
      Castis
  • LAPS: Read and Write Password Rights
    1 Posts | Last post April 15, 2016
    • Hi,
      
      In our environment, we run the cmd set-admpwdxxx cmedlet to give the relevant SGs read/reset password rights.
      
      However, we are facing an issue where without being added into any of the SG intended for LAPS, some accounts already have the rights to Read & write the ms-Mcs-AdmPwd attribute as well as the ms-Mcs-AdmPwdExpirationTime attribute. 
      
      Question 1: Is there a cmdlet / way to find out which users/ security groups have read and write permission to these two attributes?
      
      We run the find-admpwdextendedrights cmdlet, however it only report users/security groups that has Extended Rights but not user/SG that has read/write permission to these two attributes.
      
      Question 2: When a user/security group has All Extended Rights - does it mean that it also has read/write rights to the two LAPS attributes? Does removing All Extended Rights, will it automatically remove the read/write to those two attributes? 
      
      Thank you
      
  • AD Permission Configuration
    2 Posts | Last post April 14, 2016
    • Before configure AD permission on the Parents-OU, which contains many sub-OU such as the Users account, Contacts, Groups OUs, as well as Computer OU (which contains all computers).
      
      By setting AD permission for 1. adding machine rights, and 2, granting read/force admin rights on the Parent-OU level, will it bring any impact to the Users, Groups, contacts objects? Will granting this rights affect the user, group, contact objects in anyway?
      
      Thanks
    • Hello,
      all permissions created by delegation cmdlets are inheritable by Computer objects only - so they are not expected to have impact on other object types.
      
      Interestingly, even when ACE is inheritable by specific directory class only (such as Computers in this case), AD actually writes the ACE to instances of object types (such as Users, Groups, etc.) rather than writing just to instances of specific class.
      
      Best practice is to separate different object types to different containers, however I've never heard of any issue with this solution caused by mixing different object types in single OU tree. Anyway, test and verify in non-production environment before going to production.
      
      Thanks for interest in my solution,
      Jiri
      
      
  • How to use Get-AdmPwdPublicKey?
    3 Posts | Last post April 12, 2016
    • Testing LAPS now and we want to test/use encryption but we're not sure what should be entered into the GP for Encryption Key (is this supposed to be the encryption key string)?  I've searched online and tried to use the cmdlet Get-AdmPwdPublicKey to get some help but can't find much written about LAPS encryption and we want to check to be sure first.  Whenever I try the Get-AdmPwdPublicKey cmdlet, I receive an error (Key with this ID does not exist).
      
      Thanks
      
    • When I asked the question, I hadn't seen the New-AdmPwdKeyPair cmdlet yet.  So I figured out how to create the encryption key info needed for the GPO using this cmdlet.  However, how does the crypto key files get replicated from DCA (where the key pair was created) over to DCB (or other DC's)?  Do I need to manually copy these files from one DC to the others?  Thanks
    • Hello,
      ou probably already found out: keys need to be manually copied to all other instances of PDS.
      BTW I'm working on implementation of shared storage for keys - this would remove the requirement for manual copy of the key. Sample implementation of shared storage based on Azure KeyVault is posted on github (github.com/jformacek/laps-e)
      
      Hope this helped,
      Jiri
  • Error writing password to AD
    2 Posts | Last post April 12, 2016
    • Hi there,
      
      Great solution but computers are getting this error when attempting to store password in AD:
      Could not write changed password to AD. Error 0x80070032.
      
      I've updated the schema and ran Set-AdmPwdComputerSelfPermission on the applicable OU.
      
      What else can I check?
      
      Thanks,
      Alex
    • Hello,
      the error means "Insufficient permissions". Please review permissions on computer object; may be that SELF does not have necessary permissions regrdless the delegation on OU (such as blocked permissions inheritance on computer object)
      
      Hope this helps,
      Jiri
  • Web Portal
    3 Posts | Last post April 12, 2016
    • Hi! Can you upload here admpwdportal?
      Thank you!
    • Hi,
      
      Im also looking for the webportal.
      Great solution by the way! :)
      
      Thanks
      Fredrik
    • Hello,
      web portal used to be part of solution, but then I removed it after getting feedback that Kerberos Constrained Delegation to LDAP interface of domain controllers, that is required for portal to work properly, is too much permissions and may be considered a security issue...
      
      However, I'm thinking on having portal published on github, similar as portal for LAPS.E is already there, letting admins decide whether or not they waynt it in their environment.
      I will post update here once I have news
      
      Thanks for interest in the solution,
      Jiri
  • PRE-Windows 2000 Group permissions
    2 Posts | Last post March 26, 2016
    • Hi Jiri, 
      I would like to ask you about schema extension, If the atribute for store password mark as sensitive. If you have old domain, i think that there are default permission for list content on whole domain for PRE-Windows 2000 group.
      Thanks Jan 
    • Hello,
      confidential attributes have been in Windows 2003 SP1. when you run older DC's, then expected behavior is that anyone who has Read permission on the atribute that stores the password can actually read the value.
      Do you see any reason why someone would need to stick on old version of DC's?
      
      Jiri
  • Unable to access http://www.laps-e.net/
    1 Posts | Last post March 23, 2016
    • While attempting to access http://www.laps-e.net/ I encounter the following error:
      
      Error 403 - This web app is stopped.
      
      The web app you have attempted to reach is currently stopped and does not accept any requests. Please try to reload the page or visit it again soon.
      
      If you are the Administrator of this web app, please visit the Azure Portal to check why the app is stopped.
      
  • Dashes
    3 Posts | Last post March 18, 2016
    • Got a call from the Help Desk the other day. They reported that passwords with dashes didn't work. After some experimenting, I found out that the dash that LAPS uses is the minus key on the number pad. Whereas my users were attempting to use the button on the number row of the keyboard (especially on laptops without a number pad).
      
      Could I suggest maybe having it use the dash on the number row at the top of they keyboard instead of the minus sign on the number pad?
      
      Love LAPS! Thanks for your work on this project!
    • There's some question now whether this is LAPS or something about the setup of the computers here. Please disregard for now and I'll try to narrow the problem down more.
    • This was most likely confirmation bias on my end. I cannot replicate the issue, and I can only conclude that I repeatedly fat-fingered the password. Very sorry for the noise.
  • Problem with Web Portal
    1 Posts | Last post March 16, 2016
    • get following error with the web Portal:
      
      
      Server Error in '/' Application.
      
      Parser Error 
        Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately. 
      
       Parser Error Message: Could not load type 'AdmPwd.Portal.Global'.
      
      Source Error: 
      
      
      
      Line 1:  <%@ Application Codebehind="Global.asax.cs" Inherits="AdmPwd.Portal.Global" Language="C#" %>
      
        
      
       Source File:  /global.asax    Line:  1 
      
      
      Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.1069.1 
31 - 40 of 182 Items