filmov
tv
Configuring LAPS
Показать описание
Run laps exe
Create laps gpo
Create share with .msi file for domain users and COMPUTERS
Computer Configuration, Policies, Software Settings. Right click on Software Installation and click New, Package. = \\TEST-DC\LAPS-Share
Gpupdate /force on client machine
Extend Schema
Open powershell on DC
Import-module AdmPwd.PS
Update-AdmPwdADSchema
Delegate endpoints to change their own passwords:
Set-AdmPwdComputerSelfPermission -OrgUnit “Endpoints”
You may need to remove attributes that allow computers or users to read their own passwords:
Check to see who has access by typing Find-AdmPwdExtendedrights -identity “Endpoints”
Edit these by going to cmd, adsiedit
Connect to domain
Right click OU, properties, security, Advanced
If you want to allow a user or group to retrieve a computer’s password.
Set-AdmPwdReadPasswordPermission -OrgUnit “Endpoints” - AllowedPrincipals “PowerGroup”
Apply password security
New GPO, Computer Configuration, Administrative Templates, LAPS
Enable - Enable local admin password management
By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days. You can change the values to suit your needs by editing a Group Policy. You can change the individual password settings to fit your needs.
Show password
get-admpwdpassword -computername “test-win10” (check DC too to see if admin password changed)
Things to note when using LAPS however:
It *is* stored in clear text in AD, but honestly if someone is already on your domain controller you’re hosed anyways.
• Password is protected by ACL
• Password is not replicated to RODC and is not revealed in audit logs on DC
• Is protected in transit by LAPS tools
Enable Local Account Token Filter Policy - prevents non-interactive remote logins for local admins
Create laps gpo
Create share with .msi file for domain users and COMPUTERS
Computer Configuration, Policies, Software Settings. Right click on Software Installation and click New, Package. = \\TEST-DC\LAPS-Share
Gpupdate /force on client machine
Extend Schema
Open powershell on DC
Import-module AdmPwd.PS
Update-AdmPwdADSchema
Delegate endpoints to change their own passwords:
Set-AdmPwdComputerSelfPermission -OrgUnit “Endpoints”
You may need to remove attributes that allow computers or users to read their own passwords:
Check to see who has access by typing Find-AdmPwdExtendedrights -identity “Endpoints”
Edit these by going to cmd, adsiedit
Connect to domain
Right click OU, properties, security, Advanced
If you want to allow a user or group to retrieve a computer’s password.
Set-AdmPwdReadPasswordPermission -OrgUnit “Endpoints” - AllowedPrincipals “PowerGroup”
Apply password security
New GPO, Computer Configuration, Administrative Templates, LAPS
Enable - Enable local admin password management
By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days. You can change the values to suit your needs by editing a Group Policy. You can change the individual password settings to fit your needs.
Show password
get-admpwdpassword -computername “test-win10” (check DC too to see if admin password changed)
Things to note when using LAPS however:
It *is* stored in clear text in AD, but honestly if someone is already on your domain controller you’re hosed anyways.
• Password is protected by ACL
• Password is not replicated to RODC and is not revealed in audit logs on DC
• Is protected in transit by LAPS tools
Enable Local Account Token Filter Policy - prevents non-interactive remote logins for local admins
0:11:51
0:06:20
0:10:48
0:08:55
0:13:48
0:03:50
0:17:47
0:08:23
0:06:44
0:23:00
0:16:04
0:09:02
0:53:31
0:34:29
0:08:23
0:06:49
0:03:34
0:08:40
0:37:40
0:11:51
0:28:26
0:11:05
0:13:19
0:01:47