Contact us at 408.675.5020 or sales@identitymaestro.com

Home Page

Knowledge Base Search     Advanced

Resources Guide: AD Manage Microsoft LAPS Custom Task

Article ID: 1658
Last updated: 01 Dec, 2017

Purpose of the new article: This article explains the Manage LAPS custom task included in the Resources folder of a ServiceControl (Identity Maestro) server installation:

Type of Custom Task:  Security
Time to implement:  5-10 minutes
Who can implement:  ServiceControl Delegated administrators

What is Microsoft LAPS

Deploying Windows desktops in many enterprise environments uses some sort of scripted installation processes or deployment of pre-configured images.  In most cases, that results in every Windows desktop using the identical password for the local Administrator user account.  Most environments prevent users from having local Administrator logon access, hence there is an inherent challenge with supporting software installation and updates that prompt for local Administrator authentication.

In May 2015, Microsoft provided the Local Administrator Password Solution (LAPS) that delivers a solution to the issue of using a common local administrator account with an identical password on every computer in a domain.  LAPS resolves this situation by providing a randam password for the local administrator account.  Access to the passwords is done using a Windows utility in combination with a domain logon of a user that has been provided controlled access to the password values.  Using GPOs, each computer local administrator password is automatically changed at regular intervals.

Documentation on LAPS is available from the following sources:

Challenges with LAPS Implementation

Access to the LAPS password value requires using a Windows application, installed on a desktop Windows system that the authorized user will use.

In many enterprise environments, help desk staff will have to provide the password when required. There are a couple of common scenarios that have been employed:

  • The user is trusted with the password. Some users, like developers and software QA testers, need administrator access to their local desktop systems to perform their work.  In that case they are provided access to the LAPS app and their AD computer object name. 
    Challenge:  The user has to be added to be granted permissions to access the LAPS password attribute.  That will not prevent them from gaining access to passwords for other computers. In a very high secure environment, this is not an acceptable risk or practice.  The real difficulty is auditing who is gaining access to computer systems using an LAPS password.

  • Help desk support staff are trusted with the password.  In this case, the help desk support staff member is granted access to the LAPS password attribute. That means that if they are working on a user's computer, the help desk staff member would need to RDP to their personal computer, launch the LAPS application and then transfer the value of the password to the authentication prompt on the user's computer.  If RDP to user computer systems is blocked in the network, then other methods are "invented" by help desk staff to make the password available when they need it. 
    Challenge:  Unfortunately, common sense does not always prevail.  Often, the password is sent via email, unsecured chat, stored in a .txt file that is stored in a network share, or manually written down on a past-it note.  Each of those common practices are not secure.  This kind of activity is very difficult to monitor and control.

Another challenge with the LAPS application is that you need to know the exact name of the computer object as it is stored in Active Directory.  That means providing access to MMC ADUC or some other tool to browse or search computer objects to confirm the value.

The final challenge is that there is no tracking of which AD user is looking up the LAPS password of a computer object using the LAPS application.

Manage LAPS Custom Task to the Rescue

Manage_LAPS.custom-task template file is now available in the \Resources\Custom Tasks Templates folder. 

To add this custom task to a ServiceControl server:

  1. Login to ServiceControl using a delegated administrator account.
  2. In the Administrator  MANAGE module, select Step 5: Custom Tasks and import the Manage_LAPS.custom-task template.
  3. The manage LAPS task will become available in all tasks collections.  Enable it in the task collection that is assigned to the help desk staff that would normally use the Windows LAPS app. 
  4. Save the change and apply settings.
  5. Users assigned to the help desk group assigned to the help desk staff collection will have access to this task when they right click a computer object.

Typical Scenario: A help desk staff member would travel to the user's computer and access ServiceControl.  In the Manage module, search for or use browse to locate the computer object (no need to guess or require access to MMC ADUC).  Right click the computer object and select Manage LAPS

Advantages: 

  • With this custom task, a help desk staff member can gain SSL protected secure access to the LAPS password and reset it once it has been used in the user's computer. 
  • Since all manage tasks are recorded into the audit log database, it is possible to determine which user looked up a LAPS password for a specific computer system including the exact date and time of that action.
This article was:   Helpful | Not helpful Report an issue


Article ID: 1658
Last updated: 01 Dec, 2017
Revision: 9
Views: 122
Comments: 0
print  Print email  Email to friend share  Share pool  Add to pool comment  Add comment
Attached files
item Installation-of-LAPS-Password-Management.pdf (985 kb) Download

Prev     Next
Resources Guide: How to Import and Export Custom Task       Utilities Guide