{"id":1649,"date":"2022-01-11T10:39:49","date_gmt":"2022-01-11T08:39:49","guid":{"rendered":"https:\/\/helia.ee\/koolitus\/?page_id=1649"},"modified":"2022-01-12T09:38:45","modified_gmt":"2022-01-12T07:38:45","slug":"windows-server-2019-how-to-set-up-and-configure-laps","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=1649","title":{"rendered":"Windows Server 2019 &#8211; How To Set Up and Configure LAPS"},"content":{"rendered":"<p><a href=\"https:\/\/www.blumira.com\/glossary\/local-administrator-password-solution-laps\/\">LAPS<\/a>\u00a0(Local Administrator Password Solution) is a free and helpful tool that Microsoft recommends for local administrator password management.<\/p>\n<p>Below you will find a step-by-step walkthrough to install and configure LAPS.<\/p>\n<h2>What Is LAPS Used For?<\/h2>\n<p>One of the most detrimental misconfigurations on a Windows network is setting the same password for all local administrator accounts. It happens everywhere. Even if you\u2019ve streamlined your endpoint rollouts with imaging software, it\u2019s just easier to make that admin login the same across the organization. The support staff and management software can use it without needing to worry about remembering a password schema. Who else can benefit from this ease of configuration? Malicious actors, worms, viruses,\u00a0<a class=\"glossaryLink\" style=\"box-sizing: border-box; padding: 0px; margin: 0px; color: #000000 !important; text-decoration: none !important; background-color: transparent; transition: all 0.3s ease-in-out 0s; border-bottom: 1px dotted #000000 !important;\" href=\"https:\/\/www.blumira.com\/glossary\/ransomware\/\" aria-describedby=\"tt\" data-cmtooltip=\"&lt;div class=glossaryItemTitle&gt;Ransomware&lt;\/div&gt;&lt;div class=glossaryItemBody&gt;Ransomware is a type of malware that encrypts files and systems and demands payment (often in the form of cryptocurrency) in order to decrypt them. Once a computer is infected, a window will pop up, asking the user to pay a fine. Threat actors will often disguise themselves as a government agency or some other authority and claim that the system is locked down for security reasons.&lt;\/div&gt;\">ransomware<\/a>\u00a0just to name a few.<\/p>\n<p>Once a password hash has been stolen, it can be used over and over again on any computer that has that same user\/password locally. A common tool for this credential stealing is\u00a0<a class=\"glossaryLink\" style=\"box-sizing: border-box; padding: 0px; margin: 0px; color: #000000 !important; text-decoration: none !important; background-color: transparent; transition: all 0.3s ease-in-out 0s; border-bottom: 1px dotted #000000 !important;\" href=\"https:\/\/www.blumira.com\/glossary\/mimikatz\/\" aria-describedby=\"tt\" data-cmtooltip=\"&lt;div class=glossaryItemTitle&gt;Mimikatz&lt;\/div&gt;&lt;div class=glossaryItemBody&gt;Mimikatz is a Windows x32\/x64 program to extract passwords, hash, PINs, and Kerberos tickets from memory. It is used as an attack tool against Windows clients, allowing the extraction of cleartext passwords and password hashes from memory.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Ethical Hackers use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.&lt;\/div&gt;\">Mimikatz<\/a>, a tool that can dump passwords and other authentication methods such as kerberos tickets out of memory and use those to escalate from a normal under-privileged account to an administrator account.<\/p>\n<p>The primary defense against\u00a0<a href=\"https:\/\/www.blumira.com\/glossary\/mimikatz\/\">Mimikatz<\/a>\u00a0(and other\u00a0<a href=\"https:\/\/www.blumira.com\/glossary\/privilege-escalation\/\">privilege escalation<\/a>) is limiting administrative privileges to only those users that need it. That\u2019s definitely easier said than done, especially in an enterprise environment that has been around for a long time. It\u2019s common to start at a company where you find a network that was built without design or security in mind. Many times\u00a0<a href=\"https:\/\/www.blumira.com\/glossary\/least-privilege\/\">least privilege<\/a>\u00a0wasn\u2019t a consideration when a piece of software or business function just needed to work.<\/p>\n<p>Luckily in 2015 Microsoft came up with an integrated solution for this. LAPS enables admins to manage the local account passwords of domain-joined computers.<\/p>\n<p>LAPS protects these passwords by storing them in an access-control list (ACL) within AD (Active Directory), so only users with access rights can read or request a password reset.<\/p>\n<h2>System Requirements For Microsoft LAPS<\/h2>\n<p>Before you install LAPS, ensure that you meet the following prerequisites:<\/p>\n<p><b>Management Tools:<\/b><\/p>\n<ul>\n<li aria-level=\"1\">.NET Framework 4.0<\/li>\n<li aria-level=\"1\"><a class=\"glossaryLink\" style=\"box-sizing: border-box; padding: 0px; margin: 0px; color: #000000 !important; text-decoration: none !important; background-color: transparent; transition: all 0.3s ease-in-out 0s; border-bottom: 1px dotted #000000 !important;\" href=\"https:\/\/www.blumira.com\/glossary\/powershell\/\" aria-describedby=\"tt\" data-cmtooltip=\"&lt;div class=glossaryItemTitle&gt;PowerShell&lt;\/div&gt;&lt;div class=glossaryItemBody&gt;PowerShell is an automated task framework from Microsoft, with a command line shell and a scripting language integrated into the .NET framework, which can be embedded within other applications. It automates batch processing and creates system management tools.It includes more than 130 standard command line tools for functions and enables administrators to perform tasks on local and remote Windows systems through access to Component Object Model (COM) and Windows Management Instrumentation (WMI).&lt;\/div&gt;\">PowerShell<\/a>\u00a02.0 or higher<\/li>\n<\/ul>\n<p><b>OS Requirements:<\/b><\/p>\n<ul>\n<li aria-level=\"1\">Windows Vista SP2 or higher, which includes:\n<ul>\n<li aria-level=\"2\">Windows 7<\/li>\n<li aria-level=\"2\">Windows 8<\/li>\n<li aria-level=\"2\">Windows Vista<\/li>\n<li aria-level=\"2\">Windows 8.1<\/li>\n<li aria-level=\"2\">Windows 10<\/li>\n<\/ul>\n<\/li>\n<li aria-level=\"1\">Windows Server 2003 with current SP or higher, which includes:\n<ul>\n<li aria-level=\"2\">Windows Server 2003<\/li>\n<li aria-level=\"2\">Windows Server 2008<\/li>\n<li aria-level=\"2\">Windows Server 2012 R2<\/li>\n<li aria-level=\"2\">Windows Server 2012<\/li>\n<li aria-level=\"2\">Windows Server 2016<\/li>\n<li aria-level=\"2\">Windows Server 2019<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><b>Active Directory Requirements:<\/b><\/p>\n<ul>\n<li aria-level=\"1\">Windows Server 2003 SP1 or higher<\/li>\n<\/ul>\n<p><b>Note:\u00a0<\/b>If you run these steps on a domain controller, ensure that nothing in the environment is using the default Domain Administrator account by checking authentication logs (event_id\u2019s 4624, 4625, 4776). Installing LAPS on a DC will automatically change the password for the default administrator account to a random string.<\/p>\n<p><strong>For a video walkthrough, watch:<\/strong><\/p>\n<p><iframe loading=\"lazy\" title=\"YouTube video player\" src=\"https:\/\/www.youtube.com\/embed\/4oW-hW6XwyQ\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-origwidth=\"560\" data-origheight=\"315\" data-mce-fragment=\"1\"><\/iframe><\/p>\n<h2>Deploy Software<\/h2>\n<p><strong>Step 1:<\/strong>\u00a0Download the LAPS msi file from Microsoft\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899\">https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899<\/a><\/p>\n<p><strong>Step 2:<\/strong>\u00a0Create a share with .msi file for domain users and COMPUTERS. This share will need to be read accessible from the users and computers that the GPO is applied to, so if you already have a share that is being used for this purpose, that would be a good candidate. If you are not deploying the package with a GPO, you can skip this step.<a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36017\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image6.png\" sizes=\"auto, (max-width: 553px) 100vw, 553px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image6.png 553w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image6-300x159.png 300w\" alt=\"Create a share with .msi file for domain users and COMPUTERS\" width=\"553\" height=\"293\" \/><\/a><\/p>\n<p><strong>Step 3:<\/strong>\u00a0Create a new GPO, or use an existing GPO to configure and deploy as a software package to domain-joined computers. You may also use whatever other software that you manage remote software rollout with.\u00a0<a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-36018\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image9.png\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image9.png 966w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image9-300x219.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image9-768x560.png 768w\" alt=\"Create a new GPO,\" width=\"500\" height=\"364\" \/><\/a><\/p>\n<p><strong>Step 4:<\/strong>\u00a0Edit the GPO.\u00a0Computer Configuration &gt; Policies &gt; Software Settings. Right click on\u00a0<b>Software Installation<\/b>\u00a0and click\u00a0<b>New &gt; Package<\/b>.\u00a0<code>= \\\\TEST-DC\\RandomFileShare<a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36019\" style=\"box-sizing: border-box; padding: 0px; margin: 0px; vertical-align: middle; border-style: none;\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image4.png\" sizes=\"auto, (max-width: 504px) 100vw, 504px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image4.png 504w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image4-300x265.png 300w\" alt=\"Right click on Software Installation and click New &gt; Package\" width=\"504\" height=\"446\" \/><\/a><\/code><\/p>\n<p><strong>Step 5:<\/strong>\u00a0Leave the \u201cDeploy Software\u201d options default, and click\u00a0<b>OK<\/b>.<\/p>\n<h2>Extend AD Schema and Modify Permissions<\/h2>\n<p><strong>Step 1:<\/strong>\u00a0Open\u00a0<a class=\"glossaryLink\" style=\"box-sizing: border-box; padding: 0px; margin: 0px; color: #000000 !important; text-decoration: none !important; background-color: transparent; transition: all 0.3s ease-in-out 0s; border-bottom: 1px dotted #000000 !important;\" href=\"https:\/\/www.blumira.com\/glossary\/powershell\/\" aria-describedby=\"tt\" data-cmtooltip=\"&lt;div class=glossaryItemTitle&gt;PowerShell&lt;\/div&gt;&lt;div class=glossaryItemBody&gt;PowerShell is an automated task framework from Microsoft, with a command line shell and a scripting language integrated into the .NET framework, which can be embedded within other applications. It automates batch processing and creates system management tools.It includes more than 130 standard command line tools for functions and enables administrators to perform tasks on local and remote Windows systems through access to Component Object Model (COM) and Windows Management Instrumentation (WMI).&lt;\/div&gt;\">PowerShell<\/a>\u00a0on a Domain Controller (DC)<\/p>\n<p><code>Import-module AdmPwd.PS<\/code><\/p>\n<p><code><\/code><code>Update-AdmPwdADSchema<\/code><\/p>\n<p><a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36021\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12.png\" sizes=\"auto, (max-width: 805px) 100vw, 805px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12.png 805w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12-300x82.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12-768x210.png 768w\" alt=\"Open PowerShell on a Domain Controller (DC)\" width=\"805\" height=\"220\" \/><\/a><strong>Step 2:<\/strong>\u00a0The next step is to delegate endpoints to change their own passwords. More than likely you already have a set AD structure for where endpoints are located. You\u2019ll need to repeat Steps 2-4 for each container that you will configure LAPS for. In this example, we have a new OU called \u201cEndpoints\u201d where all of our endpoint accounts will reside.\u00a0<code>Set-AdmPwdComputerSelfPermission -OrgUnit \u201cEndpoints\u201d<\/code><\/p>\n<p><a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36022\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12-1.png\" sizes=\"auto, (max-width: 805px) 100vw, 805px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12-1.png 805w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12-1-300x82.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image12-1-768x210.png 768w\" alt=\"Delegate endpoints to change their own passwords\" width=\"805\" height=\"220\" \/><\/a><strong>Step 3:<\/strong>\u00a0You may need to remove attributes that allow computers or users to read their own passwords. (We\u2019ll set up who has these permissions later):\u00a0Check to see who has access by typing\u00a0<code>Find-AdmPwdExtendedrights -identity \u201cEndpoints\u201d<\/code><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36023\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image5.png\" sizes=\"auto, (max-width: 793px) 100vw, 793px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image5.png 793w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image5-300x50.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image5-768x128.png 768w\" alt=\"\" width=\"793\" height=\"132\" \/><strong>Step 4:<\/strong>\u00a0Ideally, the groups listed should be the system account (so the computer itself can read\/change for LAPS to correctly work) and any power user group that should have local administrative rights to the endpoint.<\/p>\n<p>Remember, you can plan these out so different user groups have access to different endpoint OUs in Active Directory. It\u2019s not an \u201ceveryone gets admin\u201d type of situation.<\/p>\n<p>a. Edit these by navigating to\u00a0<b>Cmd &gt;\u00a0<\/b>and typing\u00a0<b><i>adsiedit<\/i><\/b><\/p>\n<p>b. If a domain isn\u2019t listed, right click on\u00a0<b>ADSI Edit &gt; Connect to.. &gt;\u00a0<\/b>and select your domain<\/p>\n<p>c. Right click\u00a0<b>OU &gt; Properties &gt; Security &gt; Advanced<\/b><\/p>\n<p><a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36024\" style=\"box-sizing: border-box; padding: 0px; margin: 0px; vertical-align: middle; border-style: none;\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image8.png\" sizes=\"auto, (max-width: 754px) 100vw, 754px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image8.png 754w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image8-300x197.png 300w\" alt=\"Right click OU &gt; Properties &gt; Security &gt; Advanced\" width=\"754\" height=\"495\" \/><\/a>d. Locate the user that you want to edit<\/p>\n<p>e. Navigate to the permissions below and set to the desired settings:<\/p>\n<ul>\n<li>\n<ul>\n<li>\n<ul>\n<li aria-level=\"2\"><b>Read ms-Mcs-AdmPwd<\/b><\/li>\n<li aria-level=\"2\"><b>Write ms-Mcs-AdmPwd<\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-36026\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image1.png\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image1.png 882w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image1-300x122.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image1-768x313.png 768w\" alt=\"\" width=\"600\" height=\"244\" \/><\/a><\/p>\n<p><strong>Step 5:<\/strong>\u00a0Add the ability of a user or group to retrieve a computer\u2019s password. In this example, we\u2019ll allow the PowerGroup to retrieve the passwords from any device in the Endpoints OU<code><a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-36027\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image3.png\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image3.png 966w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image3-300x30.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image3-768x76.png 768w\" alt=\"Set-AdmPwdReadPasswordPermission -OrgUnit \u201cEndpoints\u201d - AllowedPrincipals \u201cPowerGroup\u201d\" width=\"800\" height=\"79\" \/><\/a>Set-AdmPwdReadPasswordPermission -OrgUnit \u201cEndpoints\u201d - AllowedPrincipals \u201cPowerGroup\u201d<\/code><\/p>\n<p>When you check permissions again, you see the PowerUsers is now listed.\u00a0<a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-36028\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image11.png\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image11.png 940w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image11-300x42.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image11-768x107.png 768w\" alt=\"PowerUsers is now listed\" width=\"800\" height=\"111\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2>Apply Password Security<\/h2>\n<p><strong>Step 1:<\/strong>\u00a0To apply the password security and enable LAPS, you can modify this setting in the GPO you\u2019ve already created for LAPS, or wherever makes sense in your organization\u2019s structure.<\/p>\n<ul>\n<li aria-level=\"2\"><b>Edit GPO &gt; Computer Configuration &gt; Policies&gt;Administrative Templates &gt; LAPS<\/b><\/li>\n<li aria-level=\"2\"><b>Enable &gt; Enable local admin password management<\/b><\/li>\n<\/ul>\n<p><strong><a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-36025\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image7.png\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image7.png 937w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image7-300x110.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image7-768x282.png 768w\" alt=\"Navigate to the permissions below and set to the desired settings\" width=\"800\" height=\"294\" \/><\/a>Step 2:<\/strong>\u00a0By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days. You can change the values to suit your needs, however.<\/p>\n<h2>Using LAPS<\/h2>\n<p><strong>Step 1:<\/strong>\u00a0Show password with\u00a0<a class=\"glossaryLink\" style=\"box-sizing: border-box; padding: 0px; margin: 0px; color: #000000 !important; text-decoration: none !important; background-color: transparent; transition: all 0.3s ease-in-out 0s; border-bottom: 1px dotted #000000 !important;\" href=\"https:\/\/www.blumira.com\/glossary\/powershell\/\" aria-describedby=\"tt\" data-cmtooltip=\"&lt;div class=glossaryItemTitle&gt;PowerShell&lt;\/div&gt;&lt;div class=glossaryItemBody&gt;PowerShell is an automated task framework from Microsoft, with a command line shell and a scripting language integrated into the .NET framework, which can be embedded within other applications. It automates batch processing and creates system management tools.It includes more than 130 standard command line tools for functions and enables administrators to perform tasks on local and remote Windows systems through access to Component Object Model (COM) and Windows Management Instrumentation (WMI).&lt;\/div&gt;\">PowerShell<\/a><\/p>\n<ol>\n<li>\n<ol>\n<li aria-level=\"2\"><code>get-admpwdpassword -computername \u201ctest-win10\u201d<\/code><\/li>\n<li aria-level=\"2\">Author\u2019s Note: disregard the misspelling of \u201cServer\u201d in the screenshots, it probably bothers me more than it does anyone<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><strong><a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36029\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image2.png\" sizes=\"auto, (max-width: 922px) 100vw, 922px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image2.png 922w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image2-300x69.png 300w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image2-768x177.png 768w\" alt=\"Show password with PowerShell\" width=\"922\" height=\"213\" \/><\/a>Step 2:<\/strong>\u00a0Show password with GUI<\/p>\n<ol>\n<li>\n<ol>\n<li aria-level=\"2\">C:\\Program Files\\LAPS\\AdmPwd.ui.exe<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><a href=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36030\" src=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image10.png\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" srcset=\"https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image10.png 589w, https:\/\/www.blumira.com\/wp-content\/uploads\/2021\/06\/image10-300x198.png 300w\" alt=\"Show Password with GUI\" width=\"589\" height=\"389\" \/><\/a><\/p>\n<h2>What To Know When Using LAPS<\/h2>\n<ul>\n<li aria-level=\"1\">It\u00a0<strong>is<\/strong>\u00a0stored in clear text in AD \u2014 but honestly, if someone is already on your domain controller you\u2019re hosed anyways.<\/li>\n<li aria-level=\"1\">Passwords are protected by ACL<\/li>\n<li aria-level=\"1\">Passwords are not replicated to RODC (read-only domain controller) and not revealed in audit logs<\/li>\n<li aria-level=\"1\">Passwords are protected in transit by LAPS tools<\/li>\n<li aria-level=\"1\">There is an SCCM (System Center Configuration Manager) add-on to manage LAPS<\/li>\n<\/ul>\n<h5><strong>Learn about other defensive measures to protect against this type of privilege escalation:\u00a0<\/strong><a href=\"https:\/\/www.blumira.com\/integration\/how-to-configure-smb-signing\/\">Security Guide: How to Configure SMB Signing<\/a><\/h5>\n","protected":false},"excerpt":{"rendered":"<p>LAPS\u00a0(Local Administrator Password Solution) is a free and helpful tool that Microsoft recommends for local administrator password management. Below you will find a step-by-step walkthrough to install and configure LAPS. What Is LAPS Used For? One of the most detrimental misconfigurations on a Windows network is setting the same password for all local administrator accounts. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":1304,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-1649","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1649"}],"version-history":[{"count":2,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1649\/revisions"}],"predecessor-version":[{"id":1651,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1649\/revisions\/1651"}],"up":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1304"}],"wp:attachment":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}