Deploying Microsoft LAPS (Local Administrator Password Solution)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Oh okay recently Microsoft released a security advisory the dealt with local administrative passwords in mitigation of past the harsh attacks and that led to the release of a Microsoft knowledgebase article where they give you the download for the Lapps software which you can see here it supported on Server 2003 Service Pack 1 and after download either the 64 or 32 bit flavor that you want one thing to note is the documentation is also downloadable in here separately next okay now the download this is why I love Internet Explorer I've now got click Save ask for each thing order down Lord and to tell exactly the way I want about it I love ie okay okay so those are the files sat on my desktop to install the software on it control or management PC I've got a server here that's already got the remote server administration tools installed upon it and I'm going to install everything so I want management tools full fat client which we'll have a look at in a minute PowerShell module which will also have a look at and the GP you'll edit a template I've previously installed on this machine the group policy management console snap in you'll see why in a short while so that's it installed on the management machine so what I'm going to do now is deploy the software out to the machines that I want to control the local admin password on so I'm just creating a share on this machine I'm going to put a copy of the software within this here so that I can deploy it by group policy I'm just going to stick a dollar on the end there to make it ahead and share and I'm going to grant to main computers read access to that share so I've got read access for dimeric computers didn't remove everyone if you want just gonna leave it in for the purpose of demonstration you can fly click or care and I'm also going to add those in on there and ef-s permissions so I add into my computer's in there and there by default blubbering execute so I'm going to copy exactly the same MSI install file that used to install it on the manage machine into my fault here you don't have to deploy this by um good policy I just think that's an easy way of doing it you can actually install it manually on the client you can also install it with a forward slash quiet switch so there's no user interaction by default it only puts the management software wrong but I'm going to link a group pulse here to the root Amanda meant that will deploy the software a new package to deploy if anybody has not done this before don't browse to it on your machine you need to put in the UNC path to the share that you created remember that mocchi has a hidden share so you'll have to stick the dollar on the end so if I backslash I should see me install package there it is I will click advanced echo clay it's nothing really much to do on here over on the deployment tab I always like to uninstall when it falls outside of scope everything else is not really applicable to us for instance the upgrades categories and locations but on the security tab I'm going to grant the domaine computers rights to the software because you see they're not listed okay and they've got read which is all I need I said there's nothing really else to setup on here click or care and that's my deployment set up to farm that out to my two main machines close this lock down if we jump across now on or windows 8 machine you will know that the client software has been deployed if you have a look at how to remove programs so I'm just using the shortcut here ppw I said CPL will bring me up the same console if I look at how to remove programs you see that local administrator password solution has been installed that's been deployed by group policy so I know it's on my client machines back on my management machine what I need to do now is extend the Active Directory schema what it does is it puts a couple of schema objects in there are a couple of commands to execute before I can execute the command I need to import the module into PowerShell if you have a look in the documentation you'll see there's the command that and then I need to extend the schemer that takes a little while longer but over up so those put a couple of extra objects into the Active Directory schema that allow this process to work okay so the computers that I'm going to deploy this to are in the raw own or you you can see there it's called domain computers I've got a couple of test machines and they're on the test network I'm going to deploy the solution to them rather than deploy it to everything in the domain that hit the remote controls etc so the first thing I need to do is grunt those computers the rights to be able to write to those Active Directory objects and this big long PowerShell command on that shows you how to do that it's all in the documentation so I'm allowing the computers in the domain computers or you the right to self update the Active Directory user object and if it's been successful you should just see delegate it there but what I can do is I can find who has permissions on a particular or you to view the local admin passwords using this fine admin PWD extended rights identity to make computers remember as my or you and you see better fault their system and demean up ministerĂ­s have rights to be able to view the local password now if I want to add in users you will see the PowerShell that our need to execute to do that is to set admin password permission and I'm setting it on an organizational unit remember that's called domain computers and I specify what group I want to allow rights to using - and our principles now I've got a group already set up called helpdesk so in the domain back slash group name format I can at the end if you have more than one you can just separate them with a comma you see there I've now delegated access to demand computers to that group okay so actually last part is I need to set out the client-side bits by group policy so I'm going to create a new group policy now and I'm going to link it to that all you that my computers are in and this is what's going to send out the settings for the local administrator basswood solution fire policy so we've already deployed the software this is going to actually configure the settings on the client machines you'll notice now within here if you expand policies administrative templates ll PS you notice there's another four settings here now the last one is the one that actually turns it on so if I open up and enable that saying that allows the management of the local administrator passwords hit preview saying this particular policy is if you already have password policies and as conflicts conflict how it's going to be here that's not political to me member the administrator account knowledge you don't it doesn't have to be the administrator it can be a local one if you've renamed the local admin account then it will just pick it up and that sets the actual password itself so 14 characters long 30 days and how complex the password is going to be if I apply and okay that finish with that finish with that so actually view the password for my local machine so I'm going to do that fire PowerShell using get EDM PWD password and specify the computer name that I want to get the local admin password for in this case it's piano or window zero zero V if I hit return it will show me the new local administrator password and to prove it's not smoke mirror so the second one is it zero and there's the password for that now you don't have to use PowerShell course as I said earlier there is a flat client that you can give to your helpdesk operators its installed you saw me ticket as an option when we first install software if you look in Program Files ll PS admin password you right you can do it in the GUI so you can simply tap in the client name of the computer you want to recover the local admin password for hit search there is and once again limas NPC search and there's the local admin password for that one that's as pretty much done ll PS deployed and configured thanks very much for watching don't forget to come and visit us at
Info
Channel: PeteNetLive
Views: 101,154
Rating: undefined out of 5
Keywords: rticle 0001059 KB0001059, Microsoft, LAPS, Local Administrator Password Solution, Admin, pass the hash, AD, ms-MCS-AdmPwd, ms-MCS-AdmPwdExpirationTime, RSAT, GPMC, group Policy, GPO, settings, deploy LAPS, via GPO, package, documentation, GPO Extension, MSI, AdmPwd, Import-module, Update-AdmPwdADSchema, OU, Set-AdmPwdComputerSelfPermissions, OrgUnit, Find-AdmPwdExtendedRights, Identity, Group, permissions, view password
Id: 78SE1DYIaxo
Channel Id: undefined
Length: 12min 27sec (747 seconds)
Published: Thu May 07 2015
Related Videos
Hacks Weekly #2: Microsoft Local Admin Password Solution (LAPS) – Deployment Steps
CQURE Academy
44K
Implementing Local Administrator Password Solution (LAPS)
James Rankin
3.2K
Active Directory Best Practices That Frustrate Pentesters
Black Hills Information Security
22K
How To Automate Changing The Local Admin Password (LAPS)
ITPandas0011
8K
Microsoft LAPS Overview
Network Center, Inc.
59K
Configuring and Deploying LAPS
Julia's Tech Spot
20K
Microsoft Windows : Setup LAPS (Local Administrator Password Solution)
IT Lumberjack
3.2K
Basic DHCP Setup on Windows Server 2012
Eli the Computer Guy
744K
Creating a custom default user profile in Windows 10
James Rankin
14K
Let's Tech: AD LDS
bigdaddy9z
31K
10. Creating and managing deployment images using MDT (Step by Step guide)
NLB Solutions
299K
MCITP 70-640: Group Policy Processing Order
itfreetraining
84K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.