Local admin password management solution

Local admin password management solution works using GPO and custom Client-Side GPO Extension. Solution periodically changes pwd of admin account to random value; it stores current builtin admin password in AD confidential attribute on computer account

 
 
 
 
 
4.6 Star
(58)
Add to favorites
11/26/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Password encryption
    4 Posts | Last post May 13, 2015
    • Zdravím Jiri,
      is there any way how to save generated passwords to the AD encrypted?
      Our company have one big AD forest and we (Czech and Slovak departments) don´t want to store passwords in clear-text format because other global Domain Admins can read these stored password and there is no legal way how to deny access for Domain Admins.
      
      Do you plan develop this feature please? I think that this can be easy
      
      Thank you/Děkuji,
      Petr M.
    • Hi Petr,
      we have Enterprise version of the solution, available for Premier customers. This version supports password encryption via RSA keys, password history, enhanced auditing and contains Web UI for password retrieval/reset. I guess this may be option for you?
      
      Best regards & thanks for interest in my solution,
      Jiri
    • Hello Jiri,
      how can I get this enterprise version please?
      
      Regards, Petr
    • Hi Petr,
      Please ping me on admpwd (at) hotmail.com to follow-up
      
      Thank you,
      Jiri
      
  • Set-AdmPwdAuditing Question
    2 Posts | Last post May 13, 2015
    • Hi Jiri
      
      We've made a couple of attempts to turn on Auditing on the DCs using "Set-AdmPwdAuditing –OrgUnit: Container -AuditedPrincipals: Everyone"
      
      "Container" is a top level OU with all the computer objects in sub OUs. I'm assuming from our results that this needs to be run on each container. Or is there a wildcard or other method to cascade the results to the sub-structure like the other commands do?
      
      Keep up the good work!
    • Hello Bob,
      as long as inheritance of permissions is not blocked, audit ACE is expected to be propagated to child OUs from parent OU automatically
      
      Hope this helps,
      Jiri
  • Import Modul fails
    2 Posts | Last post May 06, 2015
    • Hello,
      i having trouble with the last version. The import of the module AdmPwd.PS (Import-module AdmPwd.PS) in powershell always fails with a conflict in the runtime-version, which says that the module was created with a newer version then installed.
      
      I have checked all depedencies (Powershell 2.0, .net 4.5 and c++ 2013 is installed) and could not find the problem. The Server is a SBS 2011 which is based on Win 2008R2.
      
      Please help!
      
      Best regards
      Ingo
      
      
      
      
    • Hello,
      this is caused by behavior of Powershell on pre Win2012/Win8 machines: Powershell by default only loads .NET2 runtime, but module is compiled for .NET4 runtime. to enable the module, you need to create powershell.exe.config file in $pshome with following content:
      
      ---
      <?xml version="1.0"?> 
      <configuration> 
          <startup useLegacyV2RuntimeActivationPolicy="true"> 
              <supportedRuntime version="v4.0.30319"/> 
              <supportedRuntime version="v2.0.50727"/> 
          </startup>
      </configuration>
      ---
      
      Hope this helps,
      Jiri
  • selfpermissions for all orgunits
    2 Posts | Last post May 06, 2015
    • Hello,
      how could I run the command Set-AdmPwdComputerSelfPermission so that this permission will be set over the complete forest/domain. 
      
      I want to run it over the complete forest and not for selected orgunits, because i do not want too look for this permission if new orgunits are created in the future.
      
      Best regrds
      Ingo
    • Hello,
      it is possible: just run it against your domain, such as in sample below:
      Set-AdmPwdSelfPermission -Identity "dc=myDomain,dc=com"
      
      If you have multiple domains in forest, do it in each domain
      
      Hope this helps,
      Jiri
  • Questions about upgrades
    2 Posts | Last post May 06, 2015
    • Great Solution! Now that Microsoft officially calls this "LAPS", how do we receive notification of upgrades and will there be instructions on how to upgrade. I understand there is talk about supporting multiple accounts and encryption in AD
    • Hello,
      LAPS is built on this solution, designed to be able to upgrade. Just run installer of LAPS and it will upgrade version downloaded from here. For new version notifications, see related blog: http://blogs.msdn.com/b/laps/
      
      Also, there is LAPS Enterprise, available to Premier customers that contains additional features, including assword encryption via RSA keys, password history, enhanced auditing and contains Web UI for password retrieval/reset.
      Multiple accounts is something that's discussed whether or not to make it part of mainstream version of keep it as custom delivery (as it is now).
      
      Thanks for interest in my solution,
      Jiri
  • Still Open Source
    2 Posts | Last post May 03, 2015
    • Jiri,
      
      Thank you for this solution and I'm glad to see Microsoft has incorporated it into their product catalog.  In light of this, will you still be keeping the source code published here?  Thanks!
    • Hi Bryan,
      no, source code will not be published here
      
      Thanks,
      Jiri
  • disable expiration
    2 Posts | Last post May 02, 2015
    • Hi Jiri,
      is it possible to disable automatic rotation/expiration of the password? actually we would like to only reset the passwords manually and not let them expire. The GPO files talk about a maximum value of 365 days - is it possible to set this to 0 and disable expiration?
      
      thanks!
    • Hello,
      currently, 0 is understood as invalid value meaning that password will always rotate automatically. I will consider implementig this in v Next
      
      You can "emulate" this by modifying max limit for password age in admin templates and configuring very long password age (such as 10 years = 87600)
      
      Hope this helps,
      Jiri
  • Local Admin Password Issues Continue
    3 Posts | Last post May 02, 2015
    • Jiri, 
      Thank you for responding a second time, but I am still having issues with the process. The issue is the client machines only show an expiration time in the attribute field and the password attribute field is blank. I also receive Error 16 - Admin Account Management not enabled - exiting in the logs when I enable logging. The clients are in scope of the Local Admin setting GPO, password management is enabled, and I have the other settings configured. I bypassed the domain GPO and configured the local admin settings in local GPO and had the same problem. Permissions to the schema attributes and AD permissions have been applied. Any help you can provide is appreciated. Thank you for creating such a great tool - we are excited to implement this. 
    • I've resolved my problem. I updated the client to the 2015 release but it looks as if I didn't add the updated GP Templates into the domain store. Once I did that, enabled "Enable local admin password management" and refreshed GP, all was well in the logs and in the computer account attributes. Keep this one in the back of your pocket -  I had no idea what you meant by enabling that setting because I didn't have it. Thanks for your help and thank you for such a great solution. 
    • Hello,
      glad the solution works for you as expected. Idea with this setting was to enable admins to enable/disable the CSE on specific machines via the GPO, without the need to uninstall CSE or unregister CSE from GPO.
      
      Thanks for using my solution,
      Jiri
      
  • Event ID 16 From AdmPwd
    2 Posts | Last post April 22, 2015
    • Jiri, Thank you for the quick response. All of the test machines are in the same OU. An RSOP to the troublesome machines confirms that the GPO is applying to the machine. The GPO is configured for Password complexity - Large letters, small letters, numbers and specials, 12 character length and 90 days for the password age. Thank you in advance for any help you can provide.
    • Hello,important policy to enable is "Enable local admin password management".
      Configuring paasword length, complexity, etc. does not have any effect until "Enable local admin password management" is Enabled - this polisy is the main switch that allows client side gpo extension start working
      
      Hope this helps,
      Jiri
  • Event ID 16 From AdmPwd
    2 Posts | Last post April 20, 2015
    • Hi Jiri. This is an excellent solution to a common problem. Thank you for your efforts.
      I am implementing this in a location with 6000+ computers. I have updated the schema and applied the needed permissions to the root of the domain for ease of use. I am testing on a sub-OU that has a GPO with the AdmPwd template applied to the domain GP Store. It is sent for use all characters, reset ever 90 days and create a 12 character password. 
      I have this working great on three test PCs. a few machines will show the expiration as a general date with no password in the Admin Tool. I could sent a reset trigger to the computer, but the password never updates.I enabled logging and tried again. I received "Error 16 - Admin Account Management not enabled - exiting". In reading the Operations Guide I am still not sure what the issue is. The default local admin account is renamed and enabled. It has our standard password currently refreshed by GPP the old way (we are removing it once this is in place), and the computer is in scope of the AdmPwd GPO. I have run all PS commands for permissions and extension connection to the GPO. I even tried the new client and that didn't help.
      
      I need to be able to prove 100% success here, but I can't roll this out until I figure this out. We are at a loss - our machines are all a Windows 7 standard build deployed via MDT. What are your thoughts? Thank you in advance.
    • Hello,
      getting the event "Password management not enabled..." means that "Enable local admin password management" GPO is not set to Enabled. It must be set to Enabled so as solution would start working on clients. Please review RSOP on affected clients
      
      Thanks for using my solution,
      Jiri
71 - 80 of 182 Items