LAPS (Local Administrator Password Solution)

NCSU is implementing security controls from the Wolftech\NCSU OU down.  All machines will be receiving these controls unless you specifically opt out.  Anything at the NCSU level will, by default, be configured to enforce builtin Administrator account password changes.  LAPS will enforce random passwords on a per machine basis.  Implementing LAPS mitigates the Pass-the-Hash attacks and makes sure that large numbers of machine don’t have the exact same (often unused nor monitored) builtin Administrator account password.  When a machine gets deployed via WDS or SCCM the builtin Administrator account password is the same for all computers on campus unless your department is specifically doing something to mitigate this already.

LAPS utilizes the machine password change mechanism to change the builtin Administrator account password for a computer on a chosen schedule.  NCSU will be enforcing the password change every 90 days at the domain level.  The builtin Administrator account’s password will be stored in an attribute (ms-mcs-AdmPwd) on the computer object in Active Directory.  If you feel that 90 days is not aggressive enough you may change the value to something lower by making a lower level GPO.  The location for LAPS settings is ‘Computer Configuration/Policies/Administrative Templates/LAPS’.

LAPS will look for the builtin Administrator account by default.  If the builtin Administrator account has been renamed LAPS will still change that accounts password.  If you disable the builtin Administrator account and use your own local admin account in your image you can still leverage LAPS.  You will need to create a GPO at your departmental level or lower that specifies the name of the local admin account you want to change the password on.  LAPS can only store one password in the attribute.  If you have multiple local admin accounts enabled on the computer, you are encouraged to to disable all but one and have that one use LAPS.  If you need multiple local admin accounts, another solution would be to leverage Restricted Groups to add the appropriate domain user accounts to the local admin.

LAPS is currently being deployed via SCCM.  After a successful imaging of the computer the builtin Administrator account password will still be the default password from the base image.  Once the computer is joined to AD and SCCM the software will be pushed to the computer.  It takes two reboots before the password on the computer object will change.  One for the install of the software; One to have the computer change the builtin Administrator account password.  Moving forward, the LAPS software will be added to the base Windows images provided in WDS and SCCM.  This should move the time to password change from install up.  It will still require a second reboot after the image is completed; however, you won’t have to wait on SCCM.

You can read more about LAPS from here:

By default, you can use Active Directory Users and Computers to view the attribute (ms-mcs-AdmPwd) on the Attribute Editor tab.  To be able to see this tab you will need to ensure that Advanced Features is enabled in ADUC.  If you would rather not use this solution for viewing you can download the appropriate .msi for your architecture from the link above and choose to install the ‘Fat Client UI’ under ‘Management Tools’.  This will give you an application where you type in the computer name you want the password from and it will give you the appropriate admin password.