PDQ Live! : Configuring LAPS and PDQ

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody I'm Chris I'm brick and welcome to live cast yep today we're going over a much much requested awesome feature so awesome yeah so laps that's what we're going over today it's a wonderful Microsoft product that has been released a few years ago yeah to help manage your local administrators accounts so it's just local administrator password solution someone that I'd never remember I know it's laughs laughs so yeah I know we do have a lot of stuff to cover today let's just jump right into it yeah go all right okay so we're actually we have a in the bonus content I believe if I am correct we have a KB that we've written on how to use inventory with laps but first we're actually going to show you is how to install laps into your environment and we're going to do that two ways there's the Microsoft way and then there's the Chris way both ways are actually Microsoft ways but Chris has got the easy way and this is kind of more of the traditional method so what you do is you go down yeah you could just look up Microsoft laughs and it'll have the download it's one of the first things out there also there's content yeah yep there's leaf there and what it install is is actually these or not installs but what you download are these things right here those four things so we're actually five things sorry four plus one yeah four plus one what you're gonna need to do just as general overview is install the msi on a management machine which we've done and then you install this throughout your organization Hey forgive my scrilla ignorance guys but on a management of Shinar we talkin like a DC or I would never recommend installing this on a DC simply because I don't like installing anything on DC's I would I would choose like your PDQ admin machine or just your everyday workstation to be the management machine because it doesn't really manage laps it gives you it basically just allows you to interact with labs okay yeah because it's actually managed by a GPO and but on that note though these these MSI's do include the administrative templates with which to push out that GPO so you will need to get those on your DC at some point so yeah and we will show you how to do that alright so basically what I'm going to do is this is going to be our management machine so we're doing this live so was just like cross fingers our destruction I don't know dude you just cursed it oh we lost and your ability to put this on here I think I explained you round it ran at once okay this is Jesse okay it looks like good we got the flat client oh yeah because I wasn't spying the PowerShell module yes oh that's right we had to install that okay so we're not gonna worry about the GPO editor templates cuz we don't have any our set tools on here at the GPO extension here this is actually necessary for the management machine so we are going to install that here so this is typically what you would do on your management machine is installed these items here change oh my gosh it's so fast yeah it's pretty small download yeah and Microsoft has done an excellent job with laps they've done a really good job of like this is this is a pretty solid product here and they've got really great documentation as well okay so the next thing we're going to do is we're going to now that we've installed it on the management machine we're going to go ahead and well there's a couple of steps that you need to do you're gonna want to remove extended rights and ADSI edit and ADSI edit really is the best place to do this it is yep so you want it's pretty basic on that and the instructions are pretty clear we don't need to do that because if you've got a default setup those extended rights only exist on domain admins as it is so you should be okay it's true and if you have any questions about doing this the way that brings going through yep this operations guide really walks you through step by step the entire process from what we just did now which was installing the MSI by hand and all the way to the cool stuff which you know is synonymous for PowerShell yes it actually this is this is there's a lot of PowerShell and then you of course there's your power show which is all right so then all we really need to do after we done that and remove the extended rights on that is we import the module the PowerShell module and you kind of want to show them the PowerShell stuff I do okay yes so just kind of before we dive into this a little bit just for those I mean if you know what laps is when you're coming into this webcast that's great fantastic maybe you have it configured if you don't really what it is it's about having a local administrator account on all your domain connected machines that has a random generated password that's on our schedule that rotates and so that this makes it so that if you have one of your machines their local account get compromised you're not come your entire fleet of machines and as that's an important thing to remember is that the password itself is actually controlled by the Machine it is not controlled in a central anywhere it's just it's controlled by the machine so when you say controlled by the machine it is like the machine that you've just installed that on is controlling it at that point yep basically yes so it controls the password it's so that password is generated by the machine each individual machine so there is no so even though you're using like something like laps admin as your user that password is different on each machine so it's okay you got laps install I've got laps installed the passwords are gonna be different oh okay yeah excellent one of the security and this is really a question in fact this was I was gonna save this for later but this is a good time to address this lapse when you install this em aside installed a client-side extension for group policy what that means is that it does all its logic locally on this machine before it reports back to your domain controllers in Active Directory so what happens is when there is a request for a password change because of an expired password what will happen is it'll actually set that password locally in this machine and then tell Active Directory what has happened here's my new password so it doesn't get actually managed by Active Directory itself it gets managed locally on each machine and then published to Active Directory this might be a good time to bring up how was that password stored in Active Directory clear text Oh scary Terry no yeah I just I could make it Dimond right now some puckered so yeah so most of you probably do the same thing there's like a just a theme flag in your mind that says oh my goodness codex works what's wrong with you well nothing Active Directory is managed from ACLs we're talking about control lists here so if you have the rights to be able to read a password you can do this so let's just dive on in we have a question before we do get started though I don't want to okay okay awesome so we're gonna go with this power so we have up right here I have broken down into four steps this is in the bonus content so you can't actually just run this essentially each one of these scripts includes the import of the module for managing labs but you don't need that for every single script if you're if you've already imported it for the session but essentially laps extends the schema with two attributes new attributes so there is a wonderfully complex command not my sarcasm call update adding password and schema do we when they just run this we go yeah okay so we're gonna do this on this computer find out what happens run this script or f5 done look how fast that was it just added those two attributes those are the attributes that store the password in clear text as well as the expiration date for the password so that's it step two so now that we've created those fields we actually need to verify who has rights to read that password right that's what's I won't bring brought up earlier which is the extended rights you can verify that based off this commandment called find admin password extended rights and then you specify the oh you that you target for setting up laps here since we have not deployed this to any on the web we actually don't even need to worry about this already to the Rutzen ADSI edit so we're good so we can do that if you're familiar or not let us know we can walk you through it but it's in the documentation for laps it really is super easy in fact I'm gonna pull that up real quickly just to show you how one would look like you scroll down little ways I know this is exciting to watch live so you're basically saying Chris can read yes sometimes as long as it has to do with me and it promotes PowerShell or corgis and their rights thereof so do cookies have rights ah not as many as humans but they do okay but they are extended rights Nate ESI I guess what I should the legs are extended anyway but the bodies are yes chunky low corn dogs so removing sin rights the rights to a section about that entire here opening ADSI edit how to do that because those rights are what give people excuse me user accounts the ability to read the password so you do want to keep a good lock on that so so I just you know 80s I every time you say that again I have a little pucker hitter cuz if you do that wrong yeah stuff is green abyss hands down be careful yes it's it's a dangerous thing because it's powerful yeah you do something wrong in ADSI edit and suddenly stuff blows up yep bad yep bad so when you run this you can find out who has rights and then you can go remove them you can do it in PowerShell but it gets a little more complex and so I'd say that for maybe a powershell that casper blog or something perhaps in the future so step three now that we've removed rights we need to basically to add the rights for the machine remember now lapse runs locally on your machines inside your domain so it needs to have the ability to update that in Active Directory that's what this command does it says this computer has the rights in this particular oh you to keep my password updates some we actually change that oh you to web underscore computers great web underscore computers so here we go live we love this yeah we run this updated delegate in C there we go this can be your object there's scuse me all computer objects that are in that oh you now have the ability to properly talk to us and give us their passwords because that's what we do because we're control freaks ooh that's the noise when it runs right boom yes and when you do it a lot of times it sounds more like the Death Star and anyway so do we have a question dearest brigand Chris is there a way to customize laps to only apply to certain oh use within ad sincerely Mary M that is exactly what we just did if it is yep thanks it's a question yes answered preemptively yep and if you're using the manual method and you actually do the group policy you can obviously just drag the policy to lapse policy and we'll ship you will show you that in a minute but you just drag that up to whatever all you you want yep yep but this is it this is where you but to find that but it does need to match this it doesn't need to match the web computer in this case web computers yeah you can specify as many as you need there's many o use that you're gonna manage comma delimited right yes yeah and so at this point you you can also have different local admin accounts so by default kind of a here we're going off on tangents ed up laps initially it will use without further customization these local administrator accounts the one that the well-known SID and so that's all fine and dandy if that's what you're using but most places have that disabled by default just need to have a separate account created in our environment we created an admin called laps admin which seemed delightfully creative and appropriate almost guessable I know so to Brig are you gonna show us the GPO thing yeah but yeah so then once we get through oh sorry I'm excited together GPL is the good we got a plan yes this is the setup and then the reading from it and then the GPO is how you enforce it yes it's fun to this one so this is where you define those over use that you're gonna manage an you can manage multiple use and you can have multiple different admin accounts that you have on your different machines for whatever requirements you have you just can only have one lapse account per machine so to be right that's step 3 now step 4 is giving those rights to users within your domain the ability to read specific accounts like and this is this one we did was that web computers yeah I'm gonna copy this otherwise I'm probably going to fat finger and miss type this so you can actually give rights to reset the password or rights to read the password or both in this case let's what we will do both so the allowed principles is the users or groups that you want to have the reason the ability to do this so this case admins I think laps admins to be creative group collapse addressee so I don't know we have the DC open possibly let's find out is this guy yes it is not that kind of good I'm good at clicking had a lot of scotch it's great so what are you gonna go if you were a user trying to figure this out whatever trends be run again oh yeah the group's active or Active Directory users and committed with this I'm just showing you sorry anyway so here we go we're gonna dive down and see if we actually have that created good thing we're uh no it might be a second yep I'm doing things you are doing things sorry yeah oh I clicked on use domains and trusts see this is why you let me drive oh geez okay so never mind I won't go to the outside yep there so era where would we put this we would have put this probably in there users users oh no I think it's not No web admins think so looks let's let's find out labs we'll search search for groups oh no nope guess not users this is great you were search users you were members laps admins yay us so anyway cool we have a group cuddle apps admins yeah we just found that out live it's wonderful so I'm like I knew it but I just wasn't sure admins so we're gonna use that as the group and you can will specify multiple by separating them with a comma and we do recommend that use security groups rather than specific users because the management of specific users becomes terrible yeah especially when you're dealing with something like this yes so in this case we're going to give laps admins group the ability to read the password and to write the password so we're gonna run this yes hooray so well that's running so you guys set this up on your machines I setup on my machine you allow me the access to be able to go and do that yep so I can see that but what if I did it first and I didn't want you guys to be able to get in when I be in charge of that at that point if you said it loud first so I install laps yes I get the setup I you know anything I answered my own question it's a dumb question let's just move on wait okay controls itself yeah that's okay yeah this is good alright so so it kicks back to Active Directory but one thing to know if you do this manually and the install as part of our package as a tangent here a little bit when we install apps we have a package created to install it there's a 64-bit version and and a 32-bit version here but we also add a third step to do a GP update two reasons yes when you first install apps you can specify as one of the parameters to create that that user account that we're talking about here labs admin in this case when it does that from the time it's created to the time that you have your next update from group policy that password is known to nobody you can't use that account it's it's set randomized and you're waiting once that update kicks off this gpupdate what'll happen is that machine will say oh I have gone past my expiration in this case it's there's no expiration because it hasn't been set yet and I'll say I need to reset this it or set it locally and kick that response back to Active Directory and now they're kind of as you will sink as per each update question a question for you guys hey everybody this is Shane I say I say so you're talking about these client-side extensions that you can this all yes feel free to use PDQ deploy thank you is there a minimum version of active directory like 2008 r2 2012 that that these clients had extensions will would would not work if you go back too far yes it is 2008 not are too but 2008 I believe doesn't it yeah yes you can actually get this to kind of work around in XP but don't they actually have on Microsoft web sites the ability and the directions to do it for XP but don't still have supported still not supported but it is essentially Vista and the Server 2008 and higher is what's supported now running the fat client which will show you how to do that in a sec here for pulling you know actually requesting the password that requires dotnet for I believe and that's the only requirement that in essence I think I still think it's somewhat humorous that you'll have organizations that spend so much money in time upgrading all of their operating system their client operating systems hey we are now you know minimum Windows 8.1 yet they're still running off a 2003 Active Directory yeah they're forest functional levels still it's not even our to just our 2000 through our yep there's that's very common you know so any case that's really all there is that's how you set this up for for laps from PowerShell I do have two more scripts in that in the bonus content one is to read the password of a given computer and to reset the password for a given computer that's really how simple it is from PowerShell I want to know the computer and password for a given computer here on web I don't we just barely installed it so there's no computer on web to run this on so but it would may be a password but something to be aware of is it gives you that password in what's called file time I think it's the I forget whatever has to do with the NT time epoch whatever I'm if you've ever used win32 when where's that win32 time oh yeah that's that what is it when is when is it where we can before we get too far damage that we interview to you yeah before we get too far down the weeds now we've got the take this as read there's still something they have to do in inventory yes and a particular version of inventory yep so let's but I say we move right over there absolutely all right okay so do we want to show the book sugar policy of it well actually we have to deploy all of this before going to do inventory all right so to do so but just so you know this is just a really small download each one of these files is only about a megabyte in size so don't worry about long installs it's not an agent again it's just the client side extension for screw policy so there's nothing running there's nothing going on it's just being able to give the computer the ability to communicate back with Active Directory uh we need the Rick and Morty's oh we have those yep some but while we're while we're getting this set up we have a lot of Rick and Morty's I guess directions so in here obviously you have to have the set art on all the machines before you can like scan them with the inventory or something is that what you guys are saying if so yeah if you're gonna use the labs yes you do okay so at this point we are setting up our labs so you guys can show us laps in inventory yeah yes noop noop there we go Crocky bot oh so what we're gonna do right now is we're getting laps installed on all those machines and what's gonna happen is it's part of our package it's gonna install either 32-bit or the 64-bit and then it's gonna kick off a GP update to say hey I'm new I haven't had my password said yet set my password kick that off to Active Directory at that point now you have that local atom that has this wonderfully complex one of the randomized password that you can then use in your normal day-to-day as a backup or whatever you're using it for in this case we actually have this wonderful feature upcoming in inventory the recent beta right now check it out that allows you to use those laps' credentials for for your machines so that is what we are attending to is that called a teaser there is it is we're getting to it right here but before we get to that we're gonna take your policy yep what is it because we have to obviously if we're gonna run a GB up we have to update our policies yes so assuming that we did everything correctly we're gonna do this while he's diving for that there's a few different group policies that you can set one is to enable apps or not one is to define the user the local user account that you're going to manage in this case we're gonna set it to laps admin we're going to there's the ability to set the ability for the expiration date for the password notice there's a lot of cool stuff here but well while he's doing that I mean we have a question we can come over dear brigand Chris are there any issues with clients that aren't on a domain regularly we have computers in the field that are only connected back to our network infrequently via VPN so ad May show the old password after the timer runs out and not reveal to me the updated password sincerely Michael you for university they've got a great football team in Michael you hello Mike Michael yes I don't know if you're called Mike I got this question okay this is why you're doing stuff it is great question in fact because this is all run locally on the target machine each of these machines that you're installing this client-side extension on the great thing is even if you're not connected to your Active Directory even if you're having trust relationship issues it's not going to kick back and update a password because it can't request it you need to communicate with Active Directory to find out that you're there once you're there and it knows you're there and you're doing this group policy update it's gonna say okay I need to reset my password and then it resets it and sends it back right then and there so talking about with getting machines that are in flaky in frequently on and off your network not a problem because they're not going to update until they get back on your network in which case when they do you'll have that updated password with that you can you can view from PowerShell from the UI that's included with the MSI or straight up from Active Directory if you open up the computer object itself as one of the attributes so great question but they actually took that into consideration when developing this some right that makes sense yeah good alright so you know the beauty of live television is or live video isn't sometimes things don't work right yeah yeah and but that's okay because we can actually show this so policy all right so this is the function Sandburg is things didn't work right in the background there things did not work out right so now we're gonna show you how to troubleshoot when things don't work right well we can actually publish your GPS for a while but yes but we're actually off show so if you once you've installed through the MSI you could just do the what it does it installs the admx files with that the bottom of its the last option on that yeah you will see this in Administrative Tools and this is the beauty of how this works so this first one here does password settings so you can change what you enable this you can change your lengths to whatever you would like 25:40 doesn't really matter and then the password age and again referencing that back once that password agent is that but it will not update until the last and or until the next gpupdate great so which usually happens once an hour alright next setting and this is uh this is the name of the administration password so we're gonna do laps admin and and no I'm always typing this if you do not set this setting it will use the built in administrator account for each machine ok next after that and this one is the password registration time longer than the require so basically if you're an admin you can set that time for longer this this would this is proposed that yeah I'm doing that so that Joe make shady admin sets the expiration policy to you know twenty thirty don't do that yeah so alright so I'm in this last one local admin password management got a question yep dear brigand Chris I saw that users can request a reset through laps does it allow them to change it themselves if desired thanks in advance john d only if you've explicitly allowed that bingo yeah and so they can request it if they have the permissions to based off that powershell command that we ran to give them the rights to do that if they have the rights for that machine and that'll you to request that yes they can but if they don't have the tools to do that even if they have the rights they're gonna have a hard difficult time do it because they're either going to need the PowerShell module to do it other than the the actual client itself to do it or they're going to need access to Active Directory to go requested some yeah but they don't have those or the rights no they cannot alright we've deployed successful yeah inventory here we go here's the fun part we've been building up to this for the entire West alright so like I said we've got that we've got the tough document out there the basically does all of this we're gonna do credentials this is where you had the last password is the plane this is deployed yay deploy it's the one with the orange I want the blue inventory 14 beta one guys yes credentials and as you can see we've already added some laps accounts but we can go ahead and we'll just add left's again yeah ok so this is a lapsed user so we know what that is that's lapse admin yeah whatever I set that we're gonna set up for this domain the username this is a domain user so this is a domain user not only just a but main user but also the domain user that has read access to the password bingo this is important yep this this kind of goes hand-in-hand with your last question John if this user if any of your users have the ability to read or reset that password they would be able to be set up here yeah I got a question remote users UAC lapse no not okay thank you for saying not a problem why is it not a problem so because it's all done locally and then it so even if you have restricted firewall setup it's all done locally on that machine and then it spits out to the the active directory it's not active actually forcing it down on those clients and so usually with most parla setups granted it this is going to be case by case but most setups firewalls are very prohibited for incoming traffic but not outgoing traffic and so because it's all happening locally on that machine and then sending it outwards no problem I think the question that he might be asking Chris is the when accessing computers using over more a local account accessing a you know the admin dollar I protected a protected OS share a remote UAC needs to be disabled there's that registry key yes that's necessary that what you are asking Lex will see an ultimately streamlining this but yeah that's okay I see where you go with this and yes because as a local account you need to have that local token filter policy that's the setting we're going for that's what needs to be said yes you're correct we have a cape wonderful Katie that goes over that look it up look for our firewalls rules and exceptions I forget the title it's also the admin sure like yeah if you just look up admin share in the search for uh if you look up remote UAC if you go to our support site and type in remote space UAC then we'll find the document that tells you how to do this but it is very important if you're going to use local accounts of which lapse is considered that that you enable or you disable remote UAC so that these so that a local account can access the admin dollar share very important cool specific especially when you're doing like cross-domain ok well I'm in suspense we're gonna do this ok so this is already we've already put it in so alright now unfortunately because of the GP a little issue that we run into earlier we're gonna actually have to use that one but it's the same thing it is alright so we use laps here also yeah so alright and I'm actually alright so now we've also but that's it that's as far as the setup goes so it's very easy laughs admin domain domain credentials and that's it did you want to show showing that that in in inventory 14 there was that add laps you are excited you want to hurry to show that dadlabs we just did we just did oh I didn't visit this because it's that easy yeah it's really that easy so be aware the one you actually want to have those machines change the scan user we have it shown but you can actually change the scan user to that new the created credential yeah point to your laps credential and you're good now when you run a scan on these guys it works using that local lapse account now the cool thing about this is all the stuff you can do an inventory fantastic but you can also do this with deploy because deploy has this wonderful feature while it's scanning so we can say let's deploy this to a machine in fact let's deploy to those machines we have highlighted will actually do with tools here go to PDQ deploy we're gonna deploy just a dirt package here see fantastic this option here use PQ inventory scan user credentials first when available this is going to say use that lapse user instead of this web Quinton it'll fall back and use that web cantana user if the PDQ inventory credentials fail so if we deploy this which means then they're going to have to have laps configured in PDQ inventory they might have to have PDQ inventory and have that configured for deploy to utilize laps yep and kind of an important thing to these two domains the domain that we're with the brush to deploying to are completely disjointed oh yeah I mean it's rust they're on different VLANs it is completely segmented there is no knowledge other than some DNS fun stuff that we did there's no knowledge of each other so if we're actually doing we actually successfully deployed to a disjoint a domain completely using the Lapps credentials from that domain rig it's like just like chris loves corgis just the fact that you used the term DNS fun stuff gives us a glimpse into your life some might call it pathetic I call it awesome okay good DNS fun stuff that's the quote of the day for everybody who's listening that's fun stuff yes so I just an ad here with DNS fun stuff I love it so if you're on the fence about this about you know local admin rights and that this is the direction Microsoft's going yeah yes you should be doing this this is this is something that you should definitely be doing it is yeah you can't get past the hashes so good yeah it really is this this is the way you need to do this it's it's managed locally it's rotating it's all the fancy stuff just just try it out it's easy to set up easily managed and it ties in with our products wonderfully so check out the beta yes definitely thanks for watching I'm grace I'm brick thanks for joining the webcast today we would like to congratulate Mary M and Michael you winners of PDQ swag also Craig s winner of our PDQ vintage floppy coaster send us your info at webcast at PDQ calm and we'll get those out to you as soon as we can thanks again for joining us and we'll see you back here next week

Info

Channel: PDQ.com

Views: 11,323

Rating: undefined out of 5

Keywords: LAPS, PDQ Inventory, PDQ Deploy

Id: lMkA_IL6zqc

Channel Id: undefined

Length: 30min 41sec (1841 seconds)

Published: Thu Sep 14 2017