Save the next expiry date of the password under ms-Mcs-AdmPwdExpirationTime attribute. This attribute is added to the schema as part of the LAPS installation process.Ĥ. Save password under Active Directory computer object’s attribute ms-Mcs-AdmPwd. Validate the new password with the password policy settings.ģ. Generate a new password for the local administrator account.Ģ. Once LAPS are in place, Group Policy client-side extension (CSE) installed in each computer will update the local administrator password in the following order.ġ. Microsoft LAPS needs a specific Group Policy client-side extension (CSE) installed in each computer to do all managements task. We do not need additional licenses or additional servers to implement this solution. The new passwords will be saved in Active Directory and authorized engineers can retrieve passwords from the Active Directory server when required. This local administrator account password set by Microsoft LAPS will automatically change according to password policy. Microsoft Local Administrator Password Solution (LAPS) fixes this issue by setting a unique complex password for the local administrator account in all domain-joined devices. However, in a typical identity attack, compromised local administrator account allow attackers to perform Pass-the-Hash (PtH) attacks and laterally move within the organization by compromising more systems easily. But these local administrator accounts remain the same as changing passwords on local accounts is a time-consuming, complex process. When someone leaves the company, we usually change their domain password or disable their accounts. We know some use well-known passwords like ‘Pa$$w0rd’ for local administrator accounts. Most of the time this password is a non-complex one as well. This account is usually used as a backdoor by administrators for software installation/uninstallation, to log in when domain authentication not working, for OS troubleshooting, and so on. In a business, when setting up new servers or computers, most of the time administrators are using one common password for the local administrator account.
0 Comments
Leave a Reply. |