Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

4.6 Star
Add to favorites
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question

  • Find-AdmPwdExtendedrights
    2 Posts | Last post February 26, 2016
    • The cmdlet Find-AdmPwdExtendedrights is not reporting correctly. It only reports that Domain Admins and SYSTEM have the permission when in my environment I have more groups with 'All extended rights' permission set. Such as Enterprise admins, and few other groups with Full Control over the OUs. I verified that with ADSIEdit, but this is a very lengthy process. Any other method to quickly find who has that permission set?
    • Hello,
      let me look at what you report, I will post update here then
  • Error 1622 when using SCCM OSD
    4 Posts | Last post February 05, 2016
    • Hello I am using the official MS 6.0.1 version and am seeing a weird issue. When I have this package set up as a standalone mandatory instllation for my machines it works fine however when I try to install it during image time via SCCM OSD it fails by feeding back a 1622 error which does not mean it actually failed but since SCCM does not understand this return code it becomes an implicit fail.
      The program for advertisement "SCCM Package ID" failed ("SCCM Package ID" - "Microsoft LAPS x64"). A failure exit code of 1622 was returned
      Is there a way to resolve this?
    • Hello,
      I neve seen this error before. Are you installing in Task Sequence or when? Task Sequence time install is expected to be working.
      Anyway, workaround may be one of the following:
      - copy just admpwd.dll and register it via regsvr32
      - install MSI into golden image
      Hope this helps,
    • Hello Jiri,
      We are installing through an Operating System Task Sequence, installing Windows 7 SP1. It is toward the end of our install. The package runs with the following command line msiexec 6.0.1\LAPSx64.msi /quiet  At this time we would not be able to copy it in to the gold image and recapture test I need to install it at image time.
    • Hello,
      what happens if you enter full path to MSI file instead of relative path?M
  • LAPS.E?
    2 Posts | Last post January 31, 2016
    • Is this still being worked on? I have been reading up on LAPS for a while. Saw there is an encrypted version that I would like to look at as well. Tried to go to the web page but get the below.
      http://www.laps-e.net -
      Error 403 - This web app is stopped.
      Also any reason why LAPS is supported by Microsoft but the encrypted version is not? Thank you for working on both solutions. A lot of people don't understand horizontal attacks and the need for something like this.
    • Hello,
      yes, the solution is still worked on and will be worked on in the future. Web site is running now.
      Regarding support story: Microsoft decision was that LAPS is good enough and did not want to invest into LAPS.E
      Hope this helps,
  • Migrate/Upgrade from Basic to Enterprise
    2 Posts | Last post January 14, 2016
    • Hi Jiri,
      If I want to migrate/upgrade from Basic to Enterprise, is it then only a matter of deploying a new CSE dll, install PDS, update AD schema and re-configure the GPOs ?
      Or do the CSE dll not even need to be updated ?
    • Hi
      Never mind. I just saw that CapnJax21 asked the same and you provided the answer there.
  • LAPS with Reimaging Systems - MDT
    2 Posts | Last post January 10, 2016
    • Jiri - do you know of any way I can script the password to reset for systems that I am reimaging with MDT/SCCM?  Right now, if i reimage a system and keep the same name in AD, the passwords are out of sync.  My policy is set to 30 days so it can be a while for the machines to get their correct password.  This is becoming a bit of a problem since our helpdesk relies heavily on LAPS to support remote users.
    • Hello,
      see my post and attached script here: http://blogs.msdn.com/b/laps/archive/2015/05/06/laps-and-machine-reinstalls.aspx 
      Hope this helps,
  • Creation of custom admin account during CSE setup doesn't work in non-English OS
    7 Posts | Last post January 03, 2016
    • Hi,
      In my environnement, the MSI installer reports "Error 26403. Failed to add user to group" if I provide the CUSTOMADMINNAME option. It seems to fail to add the newly created user account to the 'Administrators' group, because in my OS (German), this group is actually called "Administratoren". It works if I manually create a group called administrators, the user is created and added to that group...
      Is there a way to make this option available for non-English operating systems, maybe by pointing to the SID of that group? Thanks!
    • Hello,
      yes, I'm aware of this limitation; will be addressed in next version
      Thank you for using my solution,
    • Hi everyone, any update on this? i have the same issue, severals branch offices around the world with different administrators groups names. Maybe there is a workaround working with the mst transformations?
    • Hello,
      I plan to fix it in upcoming version of LAPS.E planned for early January 2016
    • @Rotronic - I had the same issue and realized I would have to actually transform the MSI for each language.  One of the tables has the group name.  Send me a message and I'll send you a screenshot of the transformed msi.
    • Look in the Group and UserGroup tables.  Save a transform for each language.  I have it done for Danish, German and Spanish/Portugues Brazilian. Group Name translated:
      Danish - Administratorer
      German - Administratoren
      ES/PTB - Administradores
      I still need to transform for Italian, Russian and polish.
    • Hello CapnJax21, all,
      recent release of LAPS.E ( contains support of localized name of Administrators group out of box - no need for custom MST
      Hope this will help,
  • Difference between LAPS.E and the LAPS-Enterprise from Premier ?
    2 Posts | Last post January 03, 2016
    • Hi Jiri,
      What is the difference between your LAPS.E and the offering I got from our TAM on our Premier agreement? 
      It says:
      * Analysis of any current solutions used in the environment today
      * Prepare the lab and the Production environment for changes made by this
      * Implementation of the Solution into the Production Active Directory
      Is it the same binary as your LAPS.E that is being implemented ?
    • Hi Richard,
      the offering is around the latest binaries of LAPS.E and added value is as described in the offering: analysis of current environment, deployment support in lab and prod, and knowledge transfer for operating of the solution
      Best regards,
  • Any plans to support more than 1 local account
    2 Posts | Last post January 03, 2016
    • Hi Jiri,
      Are there any plans to provide support for more than 1 local admin account. Would be nice, if it could manage the built-in and any number of local accounts that we define (by name in the GPO). And with 2 different permission groups to retrieve the built-in and all the additional accounts passwords.
    • Hi Richardo,
      this is possible as custom delivery. Reason is that best practice is to minimize # of local admin accounts used, and I want mainstream version of solution to be aligned with this practice. However, I understand that there may be many valid reasons for customers not to follow this best practice, so I deliver this as custom delivery.
      Best regards and thank you for interest in my solution,
  • is it possible to retrieve version
    2 Posts | Last post December 20, 2015
    • Hi,
      Can i find somewhere the binaries for version
    • Any specific reason why not to use latest version?
  • Upgrading from LAPS to LAPS-E
    2 Posts | Last post December 18, 2015
    • Jiri
      Thanks for this solution.
      I've implemented LAPS in my environment without much issue (some minor issues with fonts and having a hard time viewing the password).  Reading more about this, the history portion of the your latest release is something that I am highly considering since it can help my IT personnel track down old passwords if a machine has been off, disabled and no longer has a trust with the domain.
      Since I already have LAPS implemented, what should I expect in deploying out LAPS-E.  Is it as simple as redeploying the new client to everyone?
      Thanks in advance.
    • Hello,
      upgrade from LAPS. to LAPS.E is possible and basically as follows:
      - install and configure PDS (server side of LAPS.E)
      - configure LAPS.E specific permissions for LAPS.E (for PDS, for readers, and for resetters)
      - configure solution using LAPS.E ADMX files
      - install LAPS.E client side (it automatically upgrades CSE)
      difference between LAPS and LAPS.E is that in LAPS.E, only PDS needs to interact with AD and admin tools read/reset passwords of managed local admin account via PDS, while LAPS admin tools work directly with AD
      as a minimal option, you can just upgrade client side and configure GPO with LAPS.E ADMX, and work without admin tools, reading password history directly from AD via script or attribute editor
      Hope this helps,
41 - 50 of 182 Items