Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

4.6 Star
Add to favorites
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question

  • Premier Customer version ?
    2 Posts | Last post October 10, 2015
    • Hello Jiri,
      thanks for your solution. it is just what we have been looking for. We are interested in your new "updated version that supports encryption, password history, much better auditing and other features...."  that is available to Premier Customers. What is the way for us to get these new bits. Our account reps cannot seem to find anything or know who to talk to.  Any help would be great.
      thanks again for your solution
    • Hello,
      Installers and documentation now attached to the article.
  • Premier version
    2 Posts | Last post October 10, 2015
    • We are also interested in the Premiere version. It would be nice to have encryption at rest for the passwords. How can we get access to that?
    • Hello,
      Installers and documentation now attached to the article.
  • use variable in Name of administrator accoutn to manage.
    2 Posts | Last post October 07, 2015
    • Hi, quick question.
      I have managed to get everything to work, but now im havning problems applying it to the newly created administrator account.
      I have disabled the built-in account and created a account that is generated as: %computername%-Admin.
      I then enabled Name of administrator account to manage and typed in %computername%-Admin.
      When the GPO refreshes i get error in event viewer saying:
      Could not get local Administrator account. error 0x80070534.
      Should i use another a variable or is it not possible to use?
      regards Daniel
    • Hi Daniel,
      this is not currently possible - CSE does not resolve env variables when looking for custom admin account. I may add this to vNext sometimes, or can create customization for you - pig me to admpwd (at) hotmail.com if interested in customization
  • Event ID 16 - Admin account management not enabled, exiting.
    2 Posts | Last post August 04, 2015
    • We have this deployed to over 500 computers and the vast majority work without a problem, and are rotating passwords as expected.  We have a small handful that give the stated error when enhanced logging is turned on.  The issue is that these systems are in the exact same OU as all the machines are working, with the exact same Group Policy linked.  I have tried updating to 6.1 LAPS version, and these systems still state account management is not enabled.  Quadruple checked the policy.  Any ideas how I can get these few systems to start working correctly?
    • I got this worked out by tracking down the code and finding the missing registry keys, that for some reason did not get pushed down on these particular machines.  I have corrected that.
      I do have a feature enhancement request.  It would be awesome if we get have some option to avoid ambiguous characters.  The difference between a lowercase l and the number 1 and a capital I are minute in the gui app.  Just a thought, if we could avoid those characters, it would make transposing the password much less difficult.  Thanks for the great tool!!!
  • Register-ADMWithGPO Not found
    3 Posts | Last post July 19, 2015
    • Anyone know why, after importing the AdmPwd.PS module, I would still be getting an error when running Register-AdmWithGPO -GpoIdentity: "Domain Controllers"?
      Error I'm getting is as follows: "The term 'Register-AdmWithGPO' is not recognized as the name of a cmdlet, function, script file, or operable program."
    • "Changed method of registration of CSE with GPO - now CSE gets automatically registered when relevant GPO settings are edited. As a result, cmdlets (Un)Register-AdmPwdWithGPO were removed as no longer needed. Instead, to allow solution to be triggered on client side, it is necessary to turn it on in GPO:
      See setting Administrative Templates/AdmPwd/Enable local admin password management - resulting policy must contain this setting as Enabled so as CSE was triggered and allowed to manage local admin password"
      Just saw this went away. 
    • Yes, newer versions do not contain this cmdlet as it was replaced by GPO setting.
      Also, running the CSE on Domain Controller is not a best idea as all DCs in domain would start managing builtin admin account in domain, and would be hard to tell which DC changed the password last.  That's why running CSE on DC is not supported 
  • Multiple accounts Question
    2 Posts | Last post July 09, 2015
    • Hi Jiri,
      thank for this great product.  Since the best practice is to disable the SID 500 and create a new Local Admin, do you plan to support multiple account because changing the password for only one of them is only half the solution needed! With your product available, I won't let the disabled 500 with a fixed password, so i'm forced to use it (Not disabling the 500) for your solution.  
      Agreed it's still far better than without it, but would be a complete solution with 2 accounts possible. (only need 2. Not really need more than that).  The disabled 500 and the other one.
      Thank you very much
      John M 
    • Hello,
      I don't have support for multiple local accounts on roadmap yet - Currently I can deliver it as custom solution is required
      Ping me if interested to admpwd(at)hotmail.com
  • LAPS GUI Issues
    2 Posts | Last post July 09, 2015
    • Hello,
      I have discovered that the GUI cannot retrieve the password if the OU name begins with an asterisks. For example, If the PC is in the OU *Computers the GUI will not work but if the name of the OU is Computers the GUI can successfully retrieve the password.
      Will there be a fix for this issue?
    • Hello,
      let me repro and see what may be wrong - I will post update
  • Admin account management not enabled, exiting
    3 Posts | Last post July 09, 2015
    • Hi,
      I'm expiriencing an issue, passwords do not update.
      On the client side, in Evemt log, I see a message:
      Admin account management not enabled, exiting
      In group policy object, the option "Enable local admin password management" is enabled,
      the GPO is linked to correct OU,
      however, when I run group policy results, I do not see LAPS option in report, nut the GPO is shown as Applied.
    • Got the another error
      "Could not get local Administrator account. Error 0x80070534."
    • Hi,
      regarding 0x80070534: most likely you configured wrong admin account name in GPO. if you want to manage built-in admin account, keep respective setting in GPO as Not Configured. If you want to manage custom admin account, configure its name in GPO
      Hope this helps,
  • GPO Setting mIssing
    2 Posts | Last post June 24, 2015
    • I ran though all the direction but when I get to the end and try to create the GPO it self AdmPwd does not exist under Administrative Templates.  So I cannot enable anything.  What am I missing here?  Is there a step I need to do again?
    • You may need to add the .admx and .adml to your central store if you have one.
  • New Policy
    3 Posts | Last post June 12, 2015
    • Hi,
      I'm evaluating the new version 5.1 and can not find some documentation about the 2 new policies
      "Do not allow password expiration time longer than required by policy" and  "Customize administrator account name"
      The last one is clear on its purpose so that leaves the other one. What happens if I enable it and the password is older than allowed but the client has no connection to the AD? What happens when I do not configure the policy? Does it mean passwords will not be changed at all? Can someone please explain this?
    • Hello,
      The option "Do not allow password expiration..." has the following functionality:
      - let's suppose that configured password max age is 30 days
      - then, for some computer, administrator uses planned password reset feature (Reset-AdmPwdPassword) and says that admin password for this computer is to expire in 1 year - far longer than max password age configured
      - without the policy "Do not allow password expiration...", admin password for that computer would expire in one year, istead of 30 days. In some environments, this can be fully legitimate scenario, while in others, this may be considered violation of the policy
      So this policy prevents admin password expiration to be longer than max password age. When CSE detects this situation, it logs a message, resets password immediately and sets its expiration according to max password age policy
      NOte that if client does not have connection to AD, admin password is never changed - it only changes when client is able to report password to AD
      Clearer now?
      Thanks for interest in my solution,
    • Hi Jiri,
      thanks for clarification. :)
61 - 70 of 182 Items