Managing Your Local Administrator Passwords The Correct Way


Some ideas take a long time to realize.  Unfortunately, one of those has been a good way to manage local administrator passwords.  System admins the world round have developed scripts to randomize and change the local administrator password of their systems.  Others ensure the local administrator password is disabled, but that approach is potentially flawed too (did you know the local admin account automatically is enabled in safe mode?).  Group Policy Preferences offered a reprieve for a few years,but the functionality was removed last year when Microsoft determined the obfuscated password was not secure (lets be real: it was a terrible plan to store passwords in reversible format in a – nearly universally – publicly readable file).

The solution?  LAPS – or the Local Administrator Password Solution.  You can acquire LAPS here.

LAPS introduces a client side extension for GPO.

What can it do?

  • Randomly generate passwords that are changed on managed machines
  • Effectively mitigate Pass the hash (PtH) attacks that rely on identical local account passwords
  • Enforced password protection during transport using Kerberos v5
  • Use ACLs to protect passwords in Active Directory

What can I manage with LAPS?

  • Configure password parameters such as age, complexity and length
  • Force password reset on a per-machine basis
  • Use ACLs within Active Directory to control the security model
  • Protect against computer account deletion

How does LAPS work?

  • Checks whether the local Administrator password has expired
  • Generates new password when the old password is expired or required to be changed prior to expiration
  • Validates the new password against the password policy
  • Reports the password to Active Directory, storing it in a confidential attribute in the computer account
  • Reports the next expiration time to Active Directory, storing it in an attribute in ACtive Directory
  • Changes the password of the administrator account

What does LAPS require?

Active Directory: Windows Server 2003 Service Pack 1 or later

Managed Machines: Windows Server 2003 SP2 or later, Windows Server 2003 x64 SP2 or later

Management tools: .NET framework 4.0, Windows PowerShell 2.0 or later

Leave a Reply