Knowledge Base Search Advanced
Purpose of the new article: This article explains the Manage LAPS custom task included in the Resources folder of a ServiceControl (Identity Maestro) server installation:
Type of Custom Task: Security
Deploying Windows desktops in many enterprise environments uses some sort of scripted installation processes or deployment of pre-configured images. In most cases, that results in every Windows desktop using the identical password for the local Administrator user account. Most environments prevent users from having local Administrator logon access, hence there is an inherent challenge with supporting software installation and updates that prompt for local Administrator authentication.
In May 2015, Microsoft provided the Local Administrator Password Solution (LAPS) that delivers a solution to the issue of using a common local administrator account with an identical password on every computer in a domain. LAPS resolves this situation by providing a randam password for the local administrator account. Access to the passwords is done using a Windows utility in combination with a domain logon of a user that has been provided controlled access to the password values. Using GPOs, each computer local administrator password is automatically changed at regular intervals.
Documentation on LAPS is available from the following sources:
Access to the LAPS password value requires using a Windows application, installed on a desktop Windows system that the authorized user will use.
In many enterprise environments, help desk staff will have to provide the password when required. There are a couple of common scenarios that have been employed:
Another challenge with the LAPS application is that you need to know the exact name of the computer object as it is stored in Active Directory. That means providing access to MMC ADUC or some other tool to browse or search computer objects to confirm the value.
The final challenge is that there is no tracking of which AD user is looking up the LAPS password of a computer object using the LAPS application.
A Manage_LAPS.custom-task template file is now available in the \Resources\Custom Tasks Templates folder.
To add this custom task to a ServiceControl server:
Typical Scenario: A help desk staff member would travel to the user's computer and access ServiceControl. In the Manage module, search for or use browse to locate the computer object (no need to guess or require access to MMC ADUC). Right click the computer object and select Manage LAPS.