Centralized local password

management in AD DS
(LAPS)

Kirill Nikolaev
MCSE, MCITP
What is LAPS?
• A security tool to prevent lateral movement.
• Part of Microsoft’s POP-SLAM / PtH initiatives.
• Regularly generates unique, random password for a local user.
• Supported by Premier.

• Started by Jiri Formacek as AdmPwd.

• AdmPwd.E (ex. LAPS.E) – An enhanced version of LAPS.
• LAPS.Nano.DSC exists too!

• Example:
• Single OS image deployed by HelpDesk.
What's in the box?
• Client Side Group Policy Extension (Managed computers)
• %ProgramFiles%\LAPS\CSE\AdmPwd.dll
• {D76B9641-3288-4f75-942D-087DE603E3EA}

• Fat client (SD workstations)

• %ProgramFiles%\LAPS\AdmPwd.UI.exe

• PowerShell module (SD workstations / Schema admin workstation)

• Import-module AdmPwd.PS

• GP Template (Group Policy / AD DS admin workstation)

• Admpwd.admx
Installation
1. Extend the schema.
2. Delegate permissions.
3. Configure.
4. Deploy.
5. Enjoy!
Schema attributes
• Update-AdmPwdADSchema, to update the schema.
• Custom LDIF-files: https://secureidentity.se/implementing-laps-my-way/
• ms-Mcs-AdmPwd - stores the password in plain text.
• ms-Mcs-AdmPwdExpirationTime - stores password expiration time.

(Get-ADObject 'CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net‘ -Properties mayContain).mayContain

ms-Mcs-AdmPwdExpirationTime
ms-Mcs-AdmPwd
ms-Mcs-AdmPwd attribute

Won't be cleaned up
when you delete a computer object.

Is not audited.

Part of the RODC FAS —

Is not replicated to RODC.

Readable only by holders of:

CONTROL_ACCESS permission,
All Extended Rights, Full Control.
 Full control

All extended rights

F

Control access
Delegation
1. Set-AdmPwdComputerSelfPermission -Identity <OU>
Delegation
2. Set-AdmPwdReadPasswordPermission -Identity <OU>
-AllowedPrincipals <Computers administrator(s)>

l es s
U s e
Delegation
3. Set-AdmPwdResetPasswordPermission -Identity <OU>
-AllowedPrincipals <Computers administrator(s)>
ms-Mcs-AdmPwd attribute
• Find-AdmPwdExtendedRights, to find everybody with access to it.
• By default – Domain Admins only.

• Read: The computer’s administrator.

• Write: The computer itself.

• Deny: Everyone else.

ms-Mcs-AdmPwdExpirationTime attribute
• Read: Everybody.

• Write: The computer’s administrator, the computer itself.

• Deny: Nobody.
Deployment
• MSI-package (LAPS.x64.msi, LAPS.x86.msi)
• AD
• SCCM
• Manual

• By default, only GP CSE is installed — no options/modifications for

silent installation are required.

• DO NOT INSTALL TO DOMAIN CONTROLLERS

Demo
Configuration (GPO)
Restrictions
• Only one account to manage.
• CUSTOMADMINNAME parameter to create a custom admin user during the
installation.
• GPO to define that user.
• By default — built-in Administrator (determined by SID).
• No password history.
• Use AD backups instead.
Workflow
Demo
Management
Next steps
• Where to download:
• https://www.microsoft.com/en-us/download/details.aspx?id=46899

• What to read:
• https://technet.microsoft.com/security/advisory/3062591
• https://technet.microsoft.com/en-us/mt227395.aspx
• https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-
use-of-local-accounts/
Kirill Nikolaev
MCSE, MCITP

[email protected]

https://exchange12rocks.org