You Might Want to Audit Your LAPS Permissions - Part1

In today's blog, I'd like to quickly talk about the Local Administrator Password Solution (aka LAPS). It's nothing new and has been around for some time. If you aren't familiar with it, take a look at the documentation, found here: Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center

 It short, it is a solution that allows computers to publish a generated password, for a defined local admin account, to an attribute on itself in Active Directory. For a bit more detail, here are the bullet points from the "How Does LAPS Work?" section in the link above:

 The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:

• Checks whether the password of the local Administrator account has expired.
• Generates a new password when the old password is either expired or is required to be changed prior to expiration.
• Validates the new password against the password policy.
• Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
• Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
• Changes the password of the Administrator account.

  The password can then be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

Read more.


Gruß,
Dani