LAPS - Detailed Technical Specification

Saturday, November 5, 2016 5:49 PM

Local Administrator Password Management

Detailed Technical Specification
Published: June 2015

Authors:
Tom Ausburne, Microsoft
Jiri Formacek, Microsoft

Abstract: This document summarizes fundamental Operational procedures for Local Administrator
Password Solution (LAPS)

Copyright © 2015 Microsoft Corporation. All rights reserved.

Table of Contents
1 Installation
1.1 Management Computers
1.2 Managed Clients

2 AD Preparation
2.1 Modifying the Schema
2.2 Permissions
2.2.1 Removing Extended Rights
2.2.2 Adding Machine Rights
2.2.3 Adding User Rights

3 Group Policy
3.1 Changing the Group Policy Settings
3.2 Enabling the local administrator password management
3.3 Password parameters
3.3.1 Administrator account name
3.4 Protection against too long planned time for password reset

4 Managing Clients
4.1 Viewing password settings
4.2 Resetting the password

5 Troubleshooting

LAPS-NOSi Page 1
 5 Troubleshooting
5.1 Event Logging and Auditing
5.1.1 Client Logging
5.1.2 Event IDs
5.2 Problem Scenarios
5.3 Auditing

1 Installation
There are two parts to the installation, the management computers and the clients you want to
manage.
The installation of binaries and related files is handled by the MSI package. This will install the
following:
- GPO CSE: must be present on each managed machine
- Management tools:
o Fat client UI
o PowerShell module AdmPwd.PS
o Group Policy Editor admin templates
The default is to install the CSE only. The management tools are installed on demand.

File Reference
The installation for the Fat client UI is done to folder:
%ProgramFiles%\LAPS
AdmPwd.UI.exe
AdmPwd.Utils.config
AdmPwd.Utils.dll
The installation for the PowerShell modules is done to folder:
%WINDIR%\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS
AdmPwd.PS.dll
AdmPwd.PS.format.ps1xml
AdmPwd.PS.psd1
AdmPwd.Utils.config
AdmPwd.Utils.dll
%WINDIR%\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS\en-us
AdmPwd.PS.dll-Help.xml
The installation for the CSE is done to folder:
%ProgramFiles%\LAPS\CSE
AdmPwd.dll
The installation for the Group Policy files is done to folders:
%WINDIR%\PolicyDefinitions
AdmPwd.admx
%WINDIR%\PolicyDefinitions\en-US

LAPS-NOSi Page 2
 %WINDIR%\PolicyDefinitions\en-US
AdmPwd.adml

1. Management Computers
Double click on the appropriate MSI installer for your platform (LAPS.<platform>.msi) to get started.

Click Next. Accept license agreement and click Next

For the first management machine, you should enable all the installation choices for management
tools

Click Next.

LAPS-NOSi Page 3
Click Install.

Click Finish.

2. Managed Clients
This installation uses the same install files, AdmPwd.Setup.x64.msi and AdmPwd.Setup.x86.msi as on
the management computers. These can be installed/updated/uninstalled on clients using a variety
of methods including the Software Installation feature of Group Policy, SCCM, login script, manual
install, etc.
If you want to script this you can use this command line to do a silent install:
msiexec /i <file location>\LAPS.x64.msi /quiet or

LAPS-NOSi Page 4
 msiexec /i <file location>\LAPS.x64.msi /quiet or
msiexec /i <file location>\LAPS.x86.msi /quiet

Just change the <file location> to a local or network path.

Example: msiexec /i \\server\share\LAPS.x64.msi /quiet

Alternative method of installation to managed clients is to copy the AdmPwd.dll to the target
computer and use this command:
regsvr32.exe AdmPwd.dll

Note: If you install by just registering the dll it will not show up in Program and Features as shown
below.

Once this is installed you can see it in Programs and Features.

2 AD Preparation

1. Modifying the Schema

The Active Directory Schema needs to be extended by two new attributes that store the password of
the managed local Administrator account for each computer and the timestamp of password
expiration. Both attributes are added to the may-contain attribute set of the computer class.
ms-Mcs-AdmPwd – Stores the password in clear text
ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password

To update the Schema you first need to import the PowerShell module. Open up an Administrative
PowerShell window and use this command:
Import-module AdmPwd.PS

LAPS-NOSi Page 5
 You update the Schema with this command:
Update-AdmPwdADSchema

Note: If you have an RODC installed in the environment and you need to replicate the value of the
attribute ms-Mcs-AdmPwd to the RODC, you will need to change the 10th bit of the searchFlags
attribute value for ms-Mcs-AdmPwd schema objet to 0 (substract 512 from the current value of the
searchFlags attribute). For more information on Adding Attributes to or Removing attributes
from the RODC Filtered Attribute Set, please refer to http://technet.microsoft.com/en-
us/library/cc754794(v=WS.10).aspx.

2. Permissions
The Active Directory infrastructure offers advanced tools for implementation of the security model
for this solution by allowing for per-attribute Access Lists (ACLs) and implementing confidential
attributes for password storage. There are four sets of rights that need to be modified.

1. Removing Extended Rights

To restrict the ability to view the password to specific users and groups you need to remove “All
extended rights” from users and groups that are not allowed to read the value of attribute ms-
Mcs-AdmPwd. This is required because the All Extended rights/permissions permission also gives
permission to read confidential attributes.
If you want to do this for all computers you will need to repeat the next steps on each OU that
contains those computers. You do not need to do this on subcontainers of already processed OUs
unless you have disabled permission inheritance.
1. Open ADSIEdit
2. Right Click on the OU that contains the computer accounts that you are installing this solution on
and select Properties.
3. Click the Security tab
4. Click Advanced
5. Select the Group(s) or User(s) that you don’t want to be able to read the password and then click
Edit.
6. Uncheck All extended rights

LAPS-NOSi Page 6
Important: This will remove ALL extended rights, not only CONTROL_ACCESS right, so be sure that all
roles will retain all necessary permissions required for their regular work.
To quickly find which security principals have extended rights to the OU you can use PowerShell
cmdlet. You may need to run Import-module AdmPwd.PS if this is a new window.
se :<OU name> | Format-Table

2. Adding Machine Rights

The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all
computer accounts has to be added to the SELF built-in account. This is required so the machine can
update the password and expiration timestamp of its own managed local Administrator password.
This is done using PowerShell. You may need to run Import-module AdmPwd.PS if this is a new
window.
Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

Repeat this procedure for any additional OUs that contain computer accounts that are in scope of
the solution and are not subcontainers of already processed containers.

3. Adding User Rights

Add the CONTROL_ACCESS permission (extended right) on ms-Mcs-AdmPwd attribute of the
computer accounts to group(s) or user(s) that will be allowed to read the stored password of the
managed local Administrator account on managed computers.
Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -
AllowedPrincipals <users or groups>
Use the same –OrgUnit name(s) as in the previous command.

LAPS-NOSi Page 7
 Use the same –OrgUnit name(s) as in the previous command.

Note: You can use multiple groups and users in the same command separated by comma.
Example:

Set-AdmPwdReadPasswordPermission -OrgUnit Servers -AllowedPrincipals contoso

\Administrator,contoso\HelpDesk,contoso\PwdAdmins

Add the Write permission on ms-Mcs-AdmPwdExpirationTime attribute of computer accounts to

group(s) or user(s) that will be allowed to force password resets for the managed local Administrator
account on managed computers.
Set-AdmPwdResetPasswordPermission -OrgUnit <name of the OU to delegate permissions> -
AllowedPrincipals <users or groups>

Use the same –OrgUnit name(s) as in the previous commands.

Note: You can use multiple groups and users in the same command separated by comma.
Example:

Set-AdmPwdResetPasswordPermission -OrgUnit Servers -AllowedPrincipals contoso

\Administrator,contoso\HelpDesk,contoso\PwdAdmins

3 Group Policy
1. Changing the Group Policy Settings
The settings are located under Computer Configuration\Administrative Templates\LAPS.

2. Enabling the local administrator password management

LAPS-NOSi Page 8
 2. Enabling the local administrator password management
Management of password of local administrator account must be enabled so as the CSE can start
managing it:

3. Password parameters
By default this solution uses a password with maximum password complexity, 14 characters and
changes the password every 30 days. You can change the values to suit your needs by editing a
Group Policy.
You can change the individual password settings to fit your needs.

1. Administrator account name

If you have decided to manage custom local Administrator account, you must specify its name in
Group Policy.

LAPS-NOSi Page 9
 Note: DO NOT configure when you use the built-in admin account, even if you renamed it. That
account is auto-detected by well-known SID. DO configure when you use a custom local admin
account.

4. Protection against too long planned time for password reset

If you do not want to allow setting planning password expiration of admin account for longer time
than maximum password age, you can do it in GPO:

4 Managing Clients
1. Viewing password settings
Once everything is configured, and Group Policy has refreshed on the clients, you can look at the
properties of the computer object and see the new settings.

LAPS-NOSi Page 10
The password is stored in plain text. The Expiration date is stored as the number of 100-nanosecond
intervals that have elapsed since the 0 hour on January 1, 1601 untill the date/time that is being
stored. The time is always stored in Greenwich Mean Time (GMT) in the Active Directory. If you want
to manually convert it use this command:
w32tm /ntte <number you want to convert>

There is also a graphical interface available. When you install the program on a computer where you
want the ability to easily retrieve the password just select the Fat client UI option.

LAPS-NOSi Page 11
The program you want to run is C:\Program Files\LAPS\AdmPwd.UI.exe. It will be in the menu and
looks like this:

Or this on Windows 7.

Launch the interface, enter the client name and click Search.

LAPS-NOSi Page 12
You can also get the password using PowerShell.
Get-AdmPwdPassword -ComputerName <computername>

What happens if a user who hasn’t been granted rights to see the local Administrators password
tries to access it? If they were to gain access to the GUI interface the password won’t be displayed.

If they have installed the RSAT tools and run Active Directory Users and Computers (ADUC) to view
the password it will show as <not set>.

LAPS-NOSi Page 13
 This information is not seen because the extended rights were removed and only certain individuals
and groups were granted the rights to see this.

2. Resetting the password

To manually reset the password, just click the Set button in LAPS UI tool. When a Group Policy
refresh runs, password will be reset.
You can also plan password expiration for the future. To do so, enter desired expiration date/time
into respective field.

You can also reset the password using PowerShell.

Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>

5 Troubleshooting
This solution has a variety of logging options for troubleshooting purposes.

1. Event Logging and Auditing

1. Client Logging
The CSE logs all events in the Application Event Log of local computer. Log messages are English only,

LAPS-NOSi Page 14
The CSE logs all events in the Application Event Log of local computer. Log messages are English only,
but can be localized or additional language can be added, if necessary.
The amount of events that are logged is configurable via the following registry REG_DWORD value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}}\ExtensionDebugLevel
This value is not there by default and must be added.

Possible values are as follows:

Value Meaning
0 Silent mode; log errors only
When no error occurs, no information is logged about CSE activity
This is a default value
1 Log Errors and warnings
2 Verbose mode, log everything

2. Event IDs
The Event source for all events reported by CSE is always “AdmPwd”. The following table
summarizes the events that can occur in the Event Log:

ID Severity Description Comment

2 Error Could not get computer This event is logged in case that CSE is not able to
object from AD. Error %1 connect to computer account for local computer in AD.
%1 is a placeholder for error code returned by function
that retrieves local computer name, converts it to DN
and connects to object, specified by the DN
3 Error Could not get local This event is logged in case that CSE is not able to
Administrator account. Error connect to managed local Administrator account.
%1
%1 is a placeholder to error code returned by function
that detects the name of local administrator’s account
and connects to the account
4 Error Could not get password This event is logged in case that CSE is not able to read
expiration timestamp from the value of ms-Mcs-AdmPwdExpirationTime of
computer account in AD. computer account in AD
Error %1.
%1 is a placeholder for error code returned by function
that reads the value of the attribute and converts the
value to unsigned __int64 type
5 Error Validation failed for new local This event is logged when password validation against
admin password against local local password policy fails.
password policy. Error %1.
5 Informati Validation passed for new This event is logged when password is successfully
on local admin password. validated against local password policy
6 Error Could not reset local This event is logged in case that CSE is not able to reset
Administrator's password. the password of managed local Administrator account.
Error %1
%1 is a placeholder for error returned by
NetUserSetInfo() API

LAPS-NOSi Page 15
 NetUserSetInfo() API
7 Error Could not write changed This event is logged in case that CSE is not able to report
password to AD. Error %1. new password and timestamp to AD.
%1 is a placeholder for error code returned by
ldap_mod_s call
10 Warning Password expiration too long This event is logged in case that CSE detects that
for computer (%1 days). password expiration for computer is longer than
Resetting password now. allowed by policy in place while protection against
excessive password age is turned on
11 Informati It is not necessary to change This event is logged after CSE detects that it is not yet
on password yet. Days to the time to reset the password
change: %1.
%1 is a placeholder for number of 24-hour’s intervals
that remain till the password will be reset
12 Informati Local Administrator's This event is logged after CSE resets the password of
on password has been changed. managed local Administrator account
13 Informati Local Administrator's This event is logged after CSE reports the password and
on password has been reported timestamp to AD
to AD.
14 Informati Finished successfully This event is logged after CSE performed all required
on tasks and is about to finish
15 Informati Beginning processing This event is logged when CSE starts processing
on
16 Informati Admin account management This event is logged when admin account management
on not enabled, exiting is not enabled

Note: Generally, all events with severity “Error” are blocking. When any error occurs, no other tasks
are performed and CSE terminates processing.

2. Problem Scenarios

Symptom: Client gets Event ID 7, “Could not write changed password to AD. Error 0x80070032” in
the Event log.
Solution: The client is not in a managed OU. Move it to a managed OU or run the PowerShell
commands to add the Machine Rights to the OU the client is in.

Symptom: When importing AdmPwd.PS module, you get error “Import-Module: Could not load file or
assembly 'file:///C:\Windows\system32\WindowsPowerShell\v1.0\Modules\admpwd.ps\AdmPwd.PS.dll' or
one of its dependencies. This assembly is built by a runtime newer than the currently loaded runtime and
cannot be loaded.”
Solution: You need to allow PowerShell to load .NET Framework 4. To allow this, you need to change
powershell.exe.config to contain this:
<?xml version="1.0"?>
<configuration>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v4.0.30319"/>
<supportedRuntime version="v2.0.50727"/>
</startup>
</configuration>

Symptom: Everything is installed but the password isn’t updating on the client and nothing is logged
in the Event Log.
Solution: The CSE hasn’t been enabled with a Group Policy that applies to the client. Set the policy

LAPS-NOSi Page 16
Solution: The CSE hasn’t been enabled with a Group Policy that applies to the client. Set the policy
“Enable local admin password management” to Enabled

Symptom: After running the Schema update, the new attributes aren’t showing in the computer
properties.
Solution: If the status of the Schema update was successful you may be experiencing replication
issues or latency. In larger environments this attribute population may take some time to
propagate.

Symptom: Users that haven’t been specifically granted permissions can still see the password.
Solution: This is usually due to not removing the “All Extended rights” permission from groups and
users. Check the effective rights on the computer in question.

3. Auditing
Auditing users who successfully query and read the local administrator password for a computer can
be accomplished by using a PowerShell cmdlet. You may need to run Import-module AdmPwd.PS
if this is a new window.
Set-AdmPwdAuditing –OrgUnit: <name of OU on which you want to setup the auditing> -
AuditedPrincipals: :<identification of users/groups whose access to password shall be audited>

When a password is successfully read, a 4662 event is logged in the Security log of the Domain
Controller.

LAPS-NOSi Page 17
You will notice that the schemaIDGUID is reflected in the Event properties.

LAPS-NOSi Page 18