You can deploy Windows to devices in many ways through a number of 1st- and 3rd-party solutions. But while different vendors offer similar ways to get your Windows-based images on computers, many of those solutions offer little control over local accounts—and more specifically, the local Administrator account.
One lingering problem is that the local Administrator password is typically copied to all the devices on which the image is deployed. Since the local Administrator account can control everything that can be performed on a computer, if the single password is compromised on any system, all systems are susceptible to compromise.
To combat this in a safe, secure manner, Microsoft developed LAPS as a means of administering the Administrator account password stored on each computer by leveraging Active Directory and Group Policy to force a randomized password to be created for each device and written to an attribute stored in the computer object's AD account. For added security, the randomized password is automatically changed after a specified length of time.
SEE: Securing Windows policy (Tech Pro Research)
To successfully implement LAPS, you'll need to adhere to these requirements:
- Windows Server 2003 SP1 (or later) running Active Directory services
- Group Policy Management Console
- Microsoft Local Administrator Password Solution (32/64-bit)
- Schema Administrator credentials
- Administrator credentials
- .NET Framework 4.0 (or later)
- PowerShell 2.0 (or later)
Managing LAPS is a straightforward process once the initial installation has occurred. Before anything can be configured, the AD schema must be extended. Luckily, there's a built-in PowerShell script that will allow Schema Admins to perform this task simply. After the schema has been extended, AD will be prepared with the proper attributes to store LAPS passwords as they are generated and written back to Active Directory.
Importing the included ADMX template into Group Policy will add the policies necessary to manage the heart of the password policy in LAPS, including password recipe and expiration. Once the policies are imported, they can be configured to meet your organization's needs and applied to the devices you want to apply the LAPS policies to.
Once the policies have replicated across the domain, the clients will receive the policy and LAPS will generate a random password according to the recipe configured in GPO and write that newly created password back to AD in the attribute titled ms-mcs-AdmPwd, which is visible only to Domain Admins by default, while ms-mcs-AdmPwdExpirationTime stores the expiration timestamp.
- Windows 10 adds end-to-end security to the Fall Creators Update (TechRepublic)
- 7 Windows 10 security features that could help prevent cyberattacks against your business (TechRepublic)
- Windows 10: Latest preview builds hint at new privacy tools (ZDNet)
- Windows Meltdown-Spectre: Watch out for fake patches that spread malware (ZDNet)
How does your organization manage local Admin passwords? What procedures have worked best (or not worked at all)? Share your stories with fellow TechRepublic members in the comments section.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.