My Experience with Microsoft's Local Administrator Password Solution (LAPS)


As part of an initiative to bolster our security posture I am implementing LAPS.  For those not familiar with LAPS, per Microsoft: "The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset."

I used an excellently written blog post as the framework for testing LAPS
https://windowsserveressentials.com/2017/06/29/configure-and-deploy-microsoft-laps/

However, for our environment there were a few additional steps we needed to take.

  1. Change the GPO we have in place that sets the renamed local administrator account for Password never expires from True to False.  If the password is set to never expire the client side LAPS dll will be unable to change the password.
  2. If you are seeing the below in the Application event log you will need to configure appropriate permissions for the computer objects/OU where LAPS is applied.  This will allow the computer account to write the changed password to your Active Directory.
 Set-AdmPwdComputerSelfPermission -OrgUnit <nameof the OU to delegate permissions>


Hopefully this blog post helps those that ran into the same issues I did during testing.







Comments

Post a Comment

Popular posts from this blog

SharePoint Online Document Library as a Mapped Drive

Image
Looking at the title of this blog post you may think that this is yet another article on how to connect to a SharePoint Online document library as a mapped drive.  But there are very few free solutions for doing this when using ADFS or Azure AD Connect for SSO.  None of the ones I found worked when using Azure AD Connect. If you are looking for a solution that works with ADFS then checkout Cookie365 https://fabiocuneaz.blogspot.it/ The problem is to obtain the authentication cookie needed to map the drive you must first SSO to SharePoint Online using Internet Explorer (other browsers will not work).  By default the cookie will expire after 5-days, but our users have a fresh Windows login almost daily at which point the cookie will be refreshed by the logon script.  That being said I don't expect the cookie to expire potentially causing a problem with connecting to the mapped drive.  If it becomes an issue I plan to look into running a portion of the Pow...
Read more

Microsoft's SharePoint Migration Tool

Image
I have been reviewing Microsoft's SharePoint Migration Tool for several months as an easy to use free alternative to some of the costly commercial migration tools like Sharegate and Metalogix. While the commercial tools work well and are feature rich they are overkill for most SMB migration projects.  Since the v1.1 release of Microsoft's SharePoint Migration Tool I consider the tool production ready as I have run into very few issues. My Requirements Low cost or free Easy to setup and use Migrate from on-prem file share Migrates varying types of NTFS permissions (inherited and unique) Take advantage of our use of Azure AD Connect for syncing permissions from on-prem to Office 365 Can handle a large amount of folders, files, and data Folders: 95,886 Files: 629,095 Data: 821 GB Live Migration Experience I started production migrations last week and so far I have only experienced a few minor issues.  After doing some digging I came across a method to repor...
Read more