Managing local administrator passwords in the enterprise with ‘Microsoft LAPS Local Administrator Password Solution’.
When it was announed that CPasswords could be easily found and encrypted from the Groups.xml file created by Group Policy Preferences in May 2014 the enterprise needed a better solution to manage the local administrator accounts and more importantly the password being used. Commonly Group Policy Preferences were used to change the administrator account name and password across the enterprise workstations however the issue was two fold; the administrators password was written to a groups.xml file located in the sysvol directory (as well as locally) being written to the field ‘CPassword’ and also the same password would be used for all PC’s/laptops across the network. Should the password become compromised on one host an attacker could move laterally from one PC to another dumping creds. A better solution was required, enter LAPS! LAPS enables you to have a unique complex password for each domain joined machine (vista and above), the password being stored centrally in AD and restricted access to specific users (the helpdesk) via access control list. LAPS requires only .Net 4.0 and Powershell 2.0, however does require an AD schema update. LAPS is controlled from its own user interface and does require a small amount of GPO to be configured and client installed on the machine.
I’ll walk through setting up LAPS in a test lab and client setup in my next post.