Active Directory is a centralized directory service that manages domain computer and user accounts, and device configuration using Group Policy. But with the exception of domain controllers (DCs), devices joined to a domain retain local user accounts.
In a domain environment, local administrator accounts that share the same password across all PCs and servers, or passwords that are not changed regularly, can leave devices exposed to pass the hash PtH attacks. While sharing passwords makes it easy for IT to get access for support purposes, once the password is discovered, a hacker can move laterally across the network and gain access to more sensitive credentials, such as the domain administrator account.
Some organizations reduce the risk associated with local administrator account passwords by assigning a different password on each device, recording the results in a spreadsheet or database. But this solution also has its issues, in that the file used to store the passwords needs to be properly secured, and the assigned passwords are never changed.
Local Administrator Password Solution
Microsoft’s free tool for Windows, the Local Administrator Password Solution (LAPS), adds a Group Policy Client-Side Extension to managed devices that allows local administrator account passwords to be securely stored in Active Directory, and automatically changed every 30 days, or other timeframe as set by the organization. IT staff can then retrieve the password from Active Directory if necessary.
Installing LAPS can help simplify auditing member servers and PCs by storing local administrator account passwords centrally, making it easier to manage password changes across the network. The tool can be downloaded here, and it runs on Windows Vista and Windows Server 2003 (or later), and requires the .NET Framework 4.0 and PowerShell 2.0 or later.
How does LAPS work?
LAPS requires that the Active Directory schema (Windows 2003 SP1 or later) be extended to support two new attributes, ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime, which are used to store the local administrator password and frequency by which it should be changed, for computer objects that fall in scope of the configured Group Policy Object (GPO). It’s worth noting that LAPS supports managing passwords for the built-in administrator account, renamed built-in administrator accounts, or another administrator account created by IT.
LAPS includes its own PowerShell module, which contains cmdlets for updating the Active Directory schema, setting permissions on the new attributes, and reading the stored password in Active Directory. There’s also a GUI tool included for reading passwords stored in AD, but all other LAPS functions must be carried out using PowerShell.
LAPS adds four Group Policy settings under Computer Settings, Policies, Administrative Templates, which are accessible on the management machine where the tool is installed, and include the ability to set password length and complexity, and the name of the administrator account to manage, if the built-in administrator account has been disabled.