LAPS and permission to join computer to domain

Some you may have noticed that some users may be able to read local admin passwords on some computers without being delegated permission to do so by LAPS administrators. If you’re asking how is it possible, read further.   Creation of computer account Let’s first explain, how ACL on new AD object is created:  Domain…

4

LAPS updated to 6.0.1

Hello, We released update to LAPS last week. Changes in new version: Fixed bug that caused computer account not to be found by LAPS UP and LAPS Powershell in forest containing multiple domain trees, and computer account was in different domain tree than tree of forest root domain Added –SchemaNotUpdated switch parameter to cmdlet Find-AdmPwdExtendedPermissions…

14

LAPS and MS14-025

This short post is to remind you few things regarding coexistence of LAPS and local account password management via Group Policy Preferences (GPP) after installing hotfix 2928120   Management of local account passwords via GPP was not best thing to do from security perspective, so this functionality was disabled by hotfix mentioned above. However, installation of…

15

LAPS and password storage in clear text in AD

People often ask me why we decided to store password in clear text in AD when implementing LAPS. Let’s answer the question now and give guidelines on how to deal with passwords of local administrator accounts stored in AD. Main reason for the decision to store password in AD as clear text was simplicity of…

2

LAPS and machine reinstalls

LAPS uses attribute ms-MCS-AdmPwdExpirationTime at computer object to remember expiration time of local administrator password. Works pretty well during lifetime of computer. But what happens when computer is reinstalled? LAPS design expects that in this case, computer account is deleted and created again. But what if you decide to reuse computer account? In this case,…

9