Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

4.6 Star
Add to favorites
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question

  • New Version This Month?
    4 Posts | Last post December 12, 2015
    • I was about to roll this out but was waiting for the new version since we have RODCs.  Still plan on it being out soon?
    • Hello,
      yes, it's alive. Solution rebranded as official MS product, available for free download, and RODC support is there. See updated description for more info; also direct link for related security advisory article is here: https://technet.microsoft.com/en-us/library/security/3062591 
    • SO,where can I find a solution of LAPS for RODC?or it's not surported this version?
    • Hello,
      latest MS branded version of LAPS is here: https://www.microsoft.com/en-us/download/details.aspx?id=46899
  • Event 4662 Logged on GP Refresh - Noise in Event Logs
    3 Posts | Last post November 26, 2015
    • Hi Jiri et al,
      I have LAPS working fine in our environment but I am seeing too many instances of the audit event 4662 logged which are not the users explictly retrieving the LAPS password from AD.
      I have worked out that the cause is group policy refreshing for those users who have access to retrieve the password and it is accessing the password of the machine they are logged on to.
      Does anyone have any idea what might cause this in group policy refresh or a way of filtering this out in my audit collection services reports?
      Any advice or guidance would be very much appreciated.
    • Hello,
      noise is usually caused by poorly written management tools that read all attributes of computer account without really needing them. Other typical cause is Attribute Editor in DSA/ADSIEDIT that does the same.
      This noise is one of the reasons why I changes auditing model in LAPS.E - it does not rely on DS auditing, but rather produces audit trail in dedicated log maintained by PDS
    • Thanks Jiri both for LAPS itself and your help now. I'll look into LAPS.E.
  • The problem with access to a password.
    4 Posts | Last post November 23, 2015
    • Hi! Thanks for good solution for password management, But I have a problem with obtaining and reseting the password. When i try get or reset the password, lasp receive an error  "The User has insufficient access rights". But all permissions on objects are set correctly and when i open  properties of an object from ADSI I can see the passwords, and when it expire. May you help me?
    • Hi Nickolay,
      are you speaaking about LAPS or LAPS.E? ACL looks differently between those 2 versions: LAPS uses built-in permissions, while LAPS.E uses custom permission model
      Thank you for using my solution,
    • I speaking about LASP.E. I downloaded last version.
    • For LAPS.E, the permissions that are important are:
      - for users of the solution:
          - Read Local admin password (custom permission defined by LAPS.E)
          - Reset Local Admnin password (custom permission defined by LAPS.E)
      - for PDS service account:
          - read/write ms-mcs-AdmPwdExpirationTime
          - read/control_access on ms-Mcs-AdmPwd and ms-Mcs-AdmPwdHistory
      Please make sure that all permisions are in place on computer object
  • Set-AdmPwdServiceAccountPermission
    3 Posts | Last post November 11, 2015
    • Thanks for the great tool Jiri,
      I'm a little confused about the use of the SetAdmPwdServiceAccountPermission commandlet.  The OpsGuide says to create an group for servers running the Decryptor Service (I have created a dedicated server for this and added it's machine account to this group) but the commandlet takes an OU as well as a group as input.  If you are using a group then why do you need to specify an OU as well?  Is that OU supposed to contain the computers that are being managed by the solution?
      Same with the Set-AdmPwdReadPasswordPermission commandlet.  If I have created a group that contains the users allowed to read the passwords why do I need to also specify an OU and what should that OU contain?
    • Hi Jay,
      OU is a TARGET to which permissions are applied, while AllowedPrincipals parameter specifies IDENTITY that will have permissions on OU.
      Example: You want to allow PDS (group MY_PDS_SERVERS) to be able to operate on computers in OU MyComputers. so you will use the command
      Set-AdmPwdServiceAccountPermission -Identity MyComputers -AllowedPrincipals MY_PDS_SERVERS
      Similarly for other cmdlets that grant ReadPassword and ResetPassword permission
      Clearer now?
    • Thanks for the clarification Jiri.  Makes sense to me now.  
  • Change font used to display password in AdmPwd UI?
    5 Posts | Last post November 08, 2015
    • Hi Jiri,
      We've run across an interesting but serious problem with our AdmPwd deployment. Our helpdesk staff uses the AdmPwd UI to retrieve system passwords. They've told me that they often mistype the password because the font in the UI tool makes it difficult to discern some characters, e.g. lowercase L and uppercase I, uppercase O and number 0, etc. Is it possible to change the font that the UI uses to display the password, such as to Courier? (I've given them the workaround of copying and pasting the password into Notepad and changing the font, but that's cumbersome.)
    • Just a quick update: I managed to load up the project in VS2013 and edit the field in Forms Designer. I found that changing the font to Consolas, 18pt makes the password much more readable and less likely to confuse similar characters. I've recompiled the UI tool for our needs, but I'd still request that you entertain the idea of making this change with the next version to help others. Thanks!
    • Hello,
      Thanks for feedback, I'll look at it for vNext
      Thanks for using my solution,
    • Hi Jiri, thanks for the LAPS UI solution, any chance it could be tweaked as suggested for Consolas 18pt (or allow it to be customised via reg/config file) ?  We are having similar issues with MS Sans Serif causing confusion with L's and 1's. Thanks.
    • Hello,
      look at LAPS.E UI - it has more readable a bigger font for password. I may do the same for LAPS in some vNext
  • Keypair creating failing on PDS
    4 Posts | Last post November 05, 2015
    • I'm attempting to generate a new key pair on a 2008R2 PDS server and getting an error in PowerShell "New-AdmPwdKeyPair : None of discovered services seems to be reachable". I have confirmed the SRV record, checked the service is on and listening via 61184 (via Telnet), and tried it with and without the firewall enabled. Any ideas what this error indicates?
    • Hello,
      might be configuration issue. Are you running PDS under NETWORK SERVICE, or a different account?
      Thank you for interest in my solution,
    • Running as NETWORK SERVICE. Anything particular in the configuration I should check? I have rerun all the delegation steps and other config steps in the guide. I should also mention in a different lab I was successful in implementing, but want to know for this case how to know what is wrong.
    • Hello,
      when running as NETWORK service, everything is expected to run out of box without additional configuration, thus:
      - PDS registers SRV record in DNS
      - PDS setup create Widnows Firewall exception
      - SPN host/%computername% is used for authentication
      - GPO "PDS service runs using domain account" is NOT configured
      For more troubleshooting, I would need to lok myself in your environemnt
  • Creating Keypairs on PDS
    3 Posts | Last post October 31, 2015
    • I am trying to generate a keypair and getting PS error which looks like the pds computer is unable to locate the dns record for _admPwd? Like I mentioned I am trying to generate the keypair on the PDS so why is it performing the discovery in dns?
      New-AdmPwdKeyPair : SRVRecord _admPwd._tcp.xxx.com not found
      At line:1 char:1
      + New-AdmPwdKeyPair -KeySize 1024
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [New-AdmPwdKeyPair], AutodiscoverException
          + FullyQualifiedErrorId : AdmPwd.Types.AutodiscoverException,AdmPwd.PS.GenerateKeyPair
    • Ah! nevermind, guess I just needed to wait for the SVRecord to propagate to the DC I was connected to. tried again hour later and worked like a charm :-) 
    • Hello,
      Admin tools always look into DNS to locate instance of PDS - benefit is that you don't need to care about admin tools configuration, you just install and run it. Also, you don't need to care when you move PDS to a different machine, tools will find it automatically.
  • Multiple local accounts?
    4 Posts | Last post October 25, 2015
    • Does this version support password management for additional local accounts beyond the built-in Administrator? 
      Thanks, Keith
    • Hello,
      no, this version still supports single account per machine. I always said that one local dmin account is just enough, that's why I'm conservative to put multiple accounts support into mainstream version.
      However, if you really require it, it's possible to deliver multi account support as customization
      Hope this helped,
    • Thanks Jiri for the quick response. Actually we would like to be able to manage a second non-Admin local user account that is used in the event of no domain connectivity or available cached credentials.  How could we receive such a customization? 
    • Hello Keith,
      Currently, the option to go is via MCS engagement
  • i'm unable to use the fat client in a client computer
    4 Posts | Last post October 23, 2015
    • Hi,
      When i try to use the LAPS UI, and search for a computer no password is returned and on the   status bar i get a message like "SRVRecord_admPwd._tcp.[fqdn for my domain] not found.
      Any guess what it might be?
      Thanks for your time. Regards
      Miguel santos
      PS: Great tool. Thanks.
    • Is the _admPwd record in your AD DNS Zone under _tcp?
      The record gets auto-created when the PDS service starts, provided everything else is configured properly.
    • PDS service? i've run the operations guide and there is no service to install... and i have no record, though the client works ok on the dc, but no luck with a w7 pro client
    • Hello,
      you probably went through wrong doc. Look at LAPS.E_TechSpecs.docx - there's complete specification including PDS service
  • AdmPwdPortal
    7 Posts | Last post October 17, 2015
    • hello jiri,
      We need you help to deploy the Web Portal, we need the separate ZIP archive !
      Thx .
    • Hello,
      web portal is now open source project accessible here: https://github.com/jformacek/laps-e/tree/master/Clients. I added compiled starting version here as well, however best way may be go for source code, customize for your usage and compile for your use.
    • Thx very much :)
    • thanks for the link, but I have some questions please:
      1- I need the tutorial for setting up in IIS ( windows server 2012 )
      2- What is the record I have to put in the web repetoire ? WebUI or all clients directory?
      I already tested but the web page is not displayed .
      Best regards..
    • Hello,
      You need to configure KCD from web to PDS to make it running. Described in Ops guide document.
      Hope this helps,
    • hello,
      The app didn't show anything in Forest DNS name, is it related to the commented funtions into LDAPUtilities.cs file ?
      I tried to uncomment that code, DirectoryUtils does not exist under AdmPwd.ServiceUtils,
      is there a file or some kind of reference missing ?
      Thanks in advance,
      best regards.
    • Hello,
      List of forests can be left empty - then local forest is used.
      To prepopulate it, yse Group Policy "AD forests shown in management tools" and let it apply to web server
51 - 60 of 182 Items