LAPS Implementation Hints and Security Nerd Commentary (including mini threat model)

Security supergurustar Jessica Payne (@jepayneMSFT) wrote a fantastic blog post about LAPS a while back. We should have linked to it from here a long time ago; we are correcting that oversight now. It authoritatively answers many frequently-asked-questions about LAPS. Check it out: Local Administrator Password Solution (LAPS) Implementation Hints and Security Nerd Commentary (including…

0

LAPS updated to 6.2.0

Hello, Tonight, we released updated version of LAPS. Changes in new version: Support for localized local Administrators group name on localized OS builds when using setup parameter CUSTOMADMINNAME – you no longer need to create MST files for OS builds where name of Administrators group is localized to be able to create custom admin account…

12

LAPS and AD sizing considerations

Recently, I got asked few times by people planning LAPS deployment about LAPS impact to their AD infrastructure – NTDS.dit size, replication, network bandwidth during GPO update. I always answered that LAPS impact will never be noticed because it’s pretty small – and it’s actually true. However, I thought it would be good to document…

4

Testing LAPS for Nano Server with ws2016lab

Recently I met Jaromir Kaspar, my fellow PFE, and we chatted on LAPS for Nano Server Preview I recently published. He wanted to see it in action in lab of some size. He publishes Windows Server 2016 lab hydration scripts on github, so we came with idea to enhance those scripts by support for provisioning…

1

LAPS and Nano Server

Some of you know that the new Windows Server 2016 “Nano Server” deployment option will not support Group Policy, and may be asking how you are expected to manage local administrator’s password on it. Good news is that we’re working on the implementation of the Local Administrator Password Solution (LAPS) client for Nano server, so…

0

LAPS and permission to join computer to domain

Some you may have noticed that some users may be able to read local admin passwords on some computers without being delegated permission to do so by LAPS administrators. If you’re asking how is it possible, read further.   Creation of computer account Let’s first explain, how ACL on new AD object is created:  Domain…

4

LAPS updated to 6.0.1

Hello, We released update to LAPS last week. Changes in new version: Fixed bug that caused computer account not to be found by LAPS UP and LAPS Powershell in forest containing multiple domain trees, and computer account was in different domain tree than tree of forest root domain Added –SchemaNotUpdated switch parameter to cmdlet Find-AdmPwdExtendedPermissions…

14

LAPS and MS14-025

This short post is to remind you few things regarding coexistence of LAPS and local account password management via Group Policy Preferences (GPP) after installing hotfix 2928120   Management of local account passwords via GPP was not best thing to do from security perspective, so this functionality was disabled by hotfix mentioned above. However, installation of…

15

LAPS and password storage in clear text in AD

People often ask me why we decided to store password in clear text in AD when implementing LAPS. Let’s answer the question now and give guidelines on how to deal with passwords of local administrator accounts stored in AD. Main reason for the decision to store password in AD as clear text was simplicity of…

2

LAPS and machine reinstalls

LAPS uses attribute ms-MCS-AdmPwdExpirationTime at computer object to remember expiration time of local administrator password. Works pretty well during lifetime of computer. But what happens when computer is reinstalled? LAPS design expects that in this case, computer account is deleted and created again. But what if you decide to reuse computer account? In this case,…

9