How To Automate Changing The Local Admin Password (LAPS)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello there welcome back to part one sorry part 12 part 11 so in this tutorial we will look at automate built-in admin account password that means if you have five thousand three thousand two hundred computers in your activity environment as if you remember we have configured the same in our active directory just look at here under our organizer HR organization we created with local admin account policy for building admin account as soon as user login the local admin account should enable alright and rename to IT support dollar alright so this called group policy we normally apply to all our client computers and we set these central password say one two three four five six alright so this password will will be same for you all thousands for you all thousands of computers alright if you want computer get conform eyes or hack and user and hacker manage to decrease your local building admin account ashes into Regional Forum that is one two three four five six you entire infrastructure will get compromised so Microsoft came up with the new solution called L a PS it's local administrator password management also known as la PS local admin password solution all right so what what this solution is designed to do so this is for if you a password must be unique on all computer and random all right it should not be same it should be it should be unique on all computer and it should generate the random password by their own all right password must not be guessable from the name of workstation and MAC address all right and there must be a way for eligible people that is IT staff easily know the password when it is necessary means normally user call you for any troubleshooting and all that you have to get the added you have to login or run the application or or to provide the solution with Edwin account only saw on that time this solution should be easy for IT people to get the local admin password to provide the solution alright password management solution must be scaled to I to support thousands of computers all right password management solution must be easily deployed and manageable password management solution must support renaming of building administrator account so here the case are same we have renamed the building account alright so it should support it's saying the same it will gonna support here password management solution must offer the mechanism for bulk password change when it is necessary it is a self-explanatory all right so solution must be able to correctly handle this the situation when computer is disconnected from the corporate network that is not to change the password when it is not possible to report all right that means if you remove that computer if you remove that computer from your Active Directory and then it should not change its password later on once you remove so you should know the last password is this is the one and once the computer is disconnected from the activity domain controller password will remain same because it is no it is not love part of your domain all right the operating system is both XP 2003 and aerbook the OS platform and architecture both is there is 64-bit and 32-bit architecture it will gonna support all right so let's move ahead on the this documentation which is I have downloaded from the Microsoft website the link is mentioned in my description alright this is the local admin password operation guide so it says bunch of check means lots of changes is required in your Active Directory you have to make lots of changes in your schema in your attributes in your permissions read permissions write permissions and reset permissions and also these are the old steps it's locally it's different difficult here so don't worry we'll make it easy this one all right so the first step is first step is you to download the application I have already downloaded on my desktop in la PS alright so this is the application let's install it I have already installed here I get so so alright this is already been install on my on my workstation let's install it again so I can explain you this thing do not choose the application do not close the application choose application at a time to restart all right so it's saying restarting and all no problem just I don't want to remove because arms again I have to restart my server so let it be as it is I have already install this application which is here ok just have to run setup once you done da this is the screenshot next and here it says fat client you I installed GPO see a client-side extensions the component is required to install the managed client alright the PowerShell is required to install you ad ad mpw d dot PS scripting and the last one is GPU editor templates alright click Next install finish ok so it will look like the same here on your server side alright but on client side as well you have to install the same app occasion with this scripting so this is the script or else you can you can just copy the file a DMP w d dot dll and register here which is little difficult because i do not want to create a script non so let's create a group policy here under HR because if you can see my all computers are under HR organization unit rates slightly created for you and ApS package and FPS Groupons you already exist I don't know where it is exist all right this is already exist an ApS package alright so here is a package right click Edit and software we can deploy the application which is MSI here with this option alright share this folder with read-only permission is enough and assign the path here by right clicking new I have already shared this folder kept on my UNC power P DC / installer / 64-bit all right so assign refresh flows goes over the group policies being applied here refresh and when the group policy update G update all right the group policies updating now restart computer once alright so we have installed the application on server-side second we deployed the package on client side to be installed alright so as soon as the installation is done we should be able to see this thing in control panel add or remove programs this application should appear here so let us cross verify this just place wait it's taking a little time alright so this should be installed on client side there are the few ways you can create your bad file and assign this path or this one so here you just have to change you shade folder path with UNC alright or else you can copy this file which is already installed in your server side you can find out ADM PDM Radium PWD dot e dot d ll and you have to register on your client side through scripting so this is the best way what we have chosen with the software deployment option now we have to log in here and password should the the package should install here it should get installed now let's check in the control panel all right it's here now the local admin password management solution is will installed all right so this step is done we have cross verified and now it's time to modify your schema in your Active Directory one more thing guys if you are following along along with this this tutorial in your production environment so better you should you should you should try this in your virtual lab first don't deploy this thing in your life or production environment because the changes whatever we are making here it may not be irreversible all right so you will encounter with the errors and problems and all so better to try in your virtual lab so let's let's do let's modify the schema first we have to import the module here alright as soon as we this commands it will update or it will add MS MC as ADM PWD attributes and time exploration attributes in your active directory all right so let's add this first option import we have to add we have to import the module import module a am PWS hit enter alright done then you have to update your schema with this command alright so command is mentioned here this is the command so just hit enter alright so here it's added the schema attributes called M is MCS ADM password expiration and MCS ADM password alright and is modify the dis container all right so let's go ahead again on the second step note if you have ro DC so things are different here but we don't have the read only domain controller in our environment so this is a permission now so permission extra moving extended permission all right again I'd like to mention this point this document I have downloaded from the Microsoft website the link is mentioned in my description you can download again you can download the same and can play refer the same same documentation alright so removing extended right extended right that means to risk to restrict the ability to leave the password to a specific user and group you need to remove all standard rights all right that says when you deployed this permission this this solution and later on only specific people your IT people or admin should be able if the password not rest of all people all right so for that you have to cross verify whether the or extended rights should not be applied to or to everyone if it is there that means everyone normal user can also give you confidential attributes all right they can also make out what is the local admin password for HR people all right so let's for that it says open you ADSI edit an alright let's go ahead and adsr ad s I edit so here is the attribute you wanna remove or at lit upon it again alright so right-click connects your server it should be different naming content alright okay your what we are exactly looking here we are exactly looking here our HR group organization unit because our computers are contained here alright so let's check HR right-click property and security advanced check the permission for everyone here effective permission all right every one view permission all right so where is all extended here it is all extended all right so they don't have permission let's check for others here admin which is the building admin account he should have the permission all right they should have now so our permissions are proper now in in your case you can check if you want to cross verify against only is the respective user should have the read or write access all right for the password extension sorry password attributes we will see in our in future time the same so all right this is again different another way to check the same permission from the PowerShell we already checked we don't have to run this command again all right so now you have to set it says the right permission on the this attribute which is already added in activity MCS ATM password expiration times time time and MS mcs password attribute of all computer accounts has to be added to self building building accountant bla bla bla that means you have to set a self permission to this computer so they can generate their password automatically so we have to say hey you have permission now you can generate by your own alright so let us assign the permission with this command say at ADM PWD computer PWD computer password for this organization unit here so here in our case organization unit is HR and alright so let's go ahead type set ADM PWD computer's self permission password organization unit is HR in our case alright and hit enter okay so permission has been delegated to this to to this organization unit now computers are permitted to self update their own passwords all right now we have to add a right to the admin or IT groups so we have to allow them to read and write the permission of suddenly server is restarted so now it is just let's restart the server I don't know the 30 a bridge is going on I guess so security up days it shut down ah all right let me pause this video and we will resume again as soon as this system is restart alright guys the search service started again due to some patches been installed like this when it's got restart automatically it got shut down actually so let's continue the same we were okay we were here if we are just about to add the right permission to the respective users who who should able to read right deeper or reset the password of the clients all right the HR computers password so here we have to add the permissions let me open the PowerShell again and import modules ADM pw @ ad + pw alright so we have to add this is the command to add the permission add password read read permission to organization unit and this organization unit name and allowed principle principles you a user or your group name already in our case we are we want to allow admin to read or reset the permission for this our HR organization unit computers alright so for this oh you let lets go ahead and type set ad and PWD read permission organization unit call HR alright HR and allow principals which is our administrator here administrator all right hit enter bingo it's working fine the permission has been delegated all right for administrator now the second step we have added a read permission all right so now admin can be able to read the computers this computers who will change their password automatically so admin only can't read now their password not anyone else all right if you have group here it says if you have groups different groups you can add your domain name and you can mention your group name all right in our case we just want to add one user here which is administrator so now adding your write permission now we have to adding a write permission all right on this attributes so to adding write permission this is a command set ADM reset and this one to mention your organization you need a new administrator account name or you user name all right in our case which is a traitor let's add the write permission all right for NCS ADM password expiration time alright so let me change this path first is set ADM PWD reset permission Organization reset permission to organization unit called HR allow administrator alright hit enter fantastic is working now we have so just now what we did we just assigned read permission for to HR organization you need to administrator so administrator can read organization you need a charge computer this is a permission now here reset permission so now administrator can able to reset the password of HR computers all right it's very simple okay the same thing if you have groups you can add the groups here instead of your users this is example your domain name slash your group name your domain names like her to settle group name alright let's go ahead so alright the draw the PowerShell is done now it's time to configure the group policy open the group policy for HR people right click set the group policy here type la PS setting la PS password okay so this is the LA PS password here rinse let's right click and edit and check the the password the attribute ok PWD here open it and it was under administer to temporary you can see a DMP WT password setting should be later plus the complicity you can select from here all right length should be 12 and password h days is 30 all right so you can change it you can say every one day or every two day okay all right so let it be 60 here in my case all right customize adminstrators account so this is the same the we have changed the local adminstrator account name which is IT support dollar all right so we don't have to configure this option it says adminstrator account name the name of the local it mean you want to manage for do not configure when you use building admin account in auto detected by that says it will automatically detect alright if you just renamed it okay if you have you have you have not touched to your local built in admin account and you have created the different one so you can mention the the customized account name here which is you have created by your own alright so in our case we just renamed our local admin account to admin to IT support dollar all right let's close it do not allow a password expiration policy it says when you able to setting planning password expiration longer than the password are dedicated by password setting policy is not allowed so let it be as it is all right enable local admin password management just enable it so user will be able to change his password automatically all right so enough now refresh go back to your activity check your computer now just refresh it once the attribute which has been added here in where you can see very still all right okay the attribute has been added mcs password we already seen in our previous time in in the previous slides so we cannot see the attributes here because the advanced features was not enabled now you can see the the attributes all right enemies editor you can see ms - MC s alright see the password is not been set yet alright the expiration date even this one so it is visible here because we added the attributes through the powershell now it is added but password is not visible yet because policy is not yet deployed alright so order the policy we have already configured the group policy which is a group policy here okay it is an under HR and local it means password alright so just refresh refresh once update your group policy here GT update slash target computer slash force as soon as the policy update password will the computer should generate the password automatically and report to active duty hey I have generated this password all right so let's check from the activity as it says the policy has been updated successfully group policy reflects again right-click property and attribute editors find out your m/s - MCS see the password has been generated here now before it was not now but now it is visible the password is generated so let's cross verify whether it is working properly let's open the window nstac mister you see remote desktop connection and what is the computer name it's ms ws2 this is a computer named WS - alright workstation - WS - ok so the local admin account is WS - is IT support dollar and password I just copied from here let me copy it again copy and paste it here I just paste it by control V and click OK we should get the certification error now so that means we are good to go alright normally it does if you have experience when you take always remote desktop and mean timeless check whether the computer is allowed to take the remote let's type the administrator account password here - tray remote okay remote is again a bird here let me close see now we have error so that says we are good to go we can yes and we can go ahead we can connect this to remote computer that means the password is working fine now all right so let me minimize this one okay and there are the other ways now it is if you have hundreds of thousands of computer in your activity environment and your local ID say hey I want the password for WS 500 computer is workstation name the workstation name of that computer so again you have to go here in this let me close this remote control okay so you have to find out your hand hundreds of computer from thousands of from thousands of computer your that specific this computer you want to know the password then again you have to go to property attributes and you have to find out the MS - MCS just type M s - NC s all right so okay there is no workstation added here we just added the workstation - so that means it is not here so you have to go here and you have to find out key attributes MC MC is already from here you can pick so again it is little difficult so you can get the same computer name is WS - password from the PowerShell this type get a DM PWD password alright computer this is a shell command and type your WS - hit enter alright here is your computer name the designation of the destination of your computer where it is located and this is the current password which is clear form here and this is expiration date if you are not interested to work on PowerShell to write this command all right we have this tool installed already here type ws2 and search you can get the password here and this is expiration time the new expiration time you can set here all right I hope you enjoyed this video if you have any questions and query you can you are free to type the curve means you're free to type your comments and all you can get back to me with your comment so I will try to answer on the same if you if you stuck up in this in this query because it's not easy to to deploy these solutions and all right so we have just now finished this point automated building admin account password alright so thanks for your time like and subscribe for more videos
Info
Channel: ITPandas0011
Views: 8,038
Rating: undefined out of 5
Keywords: LAPS, active directory, windows 2012, windows 2008, Group Policy Modeling, USB restriction, USB BLOCK, removable block, Cd rom block, adc, ospf, bgp, dhcp dns, windows hacking, beginner, mcse, mcsa, MMC console, MMC shortcut, Eli the Computer Guy
Id: uOxSysHX6zM
Channel Id: undefined
Length: 30min 34sec (1834 seconds)
Published: Sun Jun 19 2016
Related Videos
Microsoft LAPS Overview
Network Center, Inc.
59K
Deploying Microsoft LAPS (Local Administrator Password Solution)
PeteNetLive
101K
Quick overview of Local Administrator Password Solution (LAPS)
TimmyIT
3.7K
User Account Delegation for Administrative purpose in Active-Directory domain.
SYS ADMIN
2.7K
Help Desk Tier1 Active Directory User Account Unlock and reset password
cobuman
53K
How to Create Bulk Users in Active Directory using Powershell
ITPandas0011
25K
Change Local Administrator Password with Group Policy
PC-Addicts
90K
Password & Account Policies - Windows Server 2012 R2
ittaster
154K
Change the local administrator password through GPO in Windows Server 2012 R2
microsoft lab
31K
How to Create a Domain User Account in windows server 2012
Sachin Samy
337K
How to install and configure Microsoft Local Administrative Password Solution (LAPS)
TeraByte IT Limited
8.5K
Script adding Local Admin User Account in OSD Task Sequence
Carson Cloud
6.4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.