From LedHed's Wiki
Jump to: navigation, search

Overview

Microsoft LAPS (Local Admin Password Solution) allows for secure "local admin" account administration on workstations and servers.


Info

  • LAPS can be downloaded and installed on Windows 2003 SP1 and above.
  • An MSI package must be installed on each workstation or server that will be managed by LAPS.
  • It supports Windows Vista and above.
  • It requires a Schema Change to Active Directory.
  • It requires Security Delegation (ACL) on computer object attributes (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpiration).
  • Passwords are stored in clear text!!! So proper security over the above attributes must be set correctly.
  • Password changes are secured with Kerberos and AES encryption (passwords are not transmitted over the wire in clear text).
  • Can be managed with PowerShell or GUI Client.
  • The GUI Client requires the full computer name (Searches and/or wildcards are not supported).
  • Password complexity and rotation settings can be controlled with Group Policy.

If your organization has separate Support Desk and Server Admins, you should make sure to delegate permissions of the above AD attributes to ensure the Support Desk cannot access server passwords. This is most easily accomplished by having separate OUs for workstations and servers.


Reference

https://technet.microsoft.com/en-us/mt227395.aspx

https://www.microsoft.com/en-us/download/details.aspx?id=46899

https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/