Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail
Traditional method:

Before the LAPS, we can change the local admin password either via GPO or startup powershell script:

The GPO method has been since one of the windows update in 2015, the powershell script can work as bellow:

$computer=$env:computername
$user = "administrator"
$Password = "password"
$user = [adsi]"WinNT://$computer/$user,user"
$user.SetPassword($Password)
net user administrator /active:yes

You need to set the permission of the script file carefully, Or you can change the clear text to secure string to add a layer of security. However, the LAPS is a more preferable way.

LAPS

Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.

Why use LAPS instead of other password managers/vaults?

Other password managers typically require either, additional hardware (IIS/SQL), trusting a third party, or ad hoc practices (Excel spreadsheet of passwords = huge security hole).

LAPS provides a streamlined approach to:

  • Periodically randomizing local administrator passwords – ensures password update to AD succeeds before modifying local secrets/passwords
  • Centrally store secrets in existing infrastructure – Active Directory (AD)
  • Control access via AD ACL permissions
  • Transmit encrypted passwords from client to AD (using Kerberos encryption, AES cypher by default)
Components
  • Agent – Group Policy Client Side Extension (CSE) – installed via MSI
    • Event logging
    • Random password generation – written from client computer to AD computer object
  • PowerShell module
    • Solution configuration
  • Active Directory – centralized control
    • Audit trail in security log of domain controller
    • Computer object, confidential attribute
Reference

https://technet.microsoft.com/en-us/library/security/3062591.aspx

Local Administrator Password Solution: https://technet.microsoft.com/en-us/mt227395.aspx

Download: https://www.microsoft.com/en-us/download/details.aspx?id=46899