LAPS PASSWORD

Hanen Chhibi 1 Reputation point
2021-12-03T14:42:37.993+00:00

HOW allows the domain administrator to not see the local password through the lapse of time

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,691 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,201 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,391 Reputation points
    2021-12-06T09:42:53.87+00:00

    Hello,

    one step is to grant users and groups the permissions to read local administrator passwords, stored in Active Directory. For example, you want to grant read password permissions to the members of AdmPwd group:

    Set-AdmPwdReadPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd

    In addition, you can allow a certain group of users to reset computer passwords (in this example, we give it to the same group — AdmPwd):

    Set-AdmPwdResetPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd

    Then you have to create a new GPO object and link it to the OU containing the computers on which you want to manage local administrator passwords.

    Create a policy with the name Password_Administrador_Local using the following command:

    Register-AdmPwdWithGPO -GpoIdentity: Password_Administrador_Local

    Open this policy in the Domain Policy Management Console (gpmc.msc) and go to the following GPO section: Computer Configuration -> Administrative Templates -> LAPS.

    Using LAPS to View Administrator Password
    LAPS graphic interface (GUI) to view LAPS passwords must be installed on the administrator computers.

    If you start the tool and specify the computer name, you can view the local administrator password and its expiration date.

    Password expiration date can be set manually, or leave this field empty, and by clicking Set specify that the password has already expired.

    Also, you can get the computer password using PowerShell:

    Get-AdmPwdPassword -ComputerName <computername>

    think that local administrators’ passwords on all computers in some OU are compromised, you can generate new unique local admin passwords for all computers in the OU with a single PowerShell command. To do this, use the the Get-ADComputer cmdlet:

    Get-ADComputer -Filter * -SearchBase “OU=Desktops,OU=NY,OU=USA,DC=woshub,DC=com” | Reset-AdmPwdPassword -ComputerName {$_.Name}

    Similarly, you can display a list of current passwords for all computers in the OU:

    Get-ADComputer -Filter * -SearchBase “OU=Desktops,OU=NY,OU=USA,DC=woshub,DC=com” | Get-AdmPwdPassword -ComputerName {$_.Name}

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments