question

HanenChhibi-3705 avatar image
0 Votes"
HanenChhibi-3705 asked GaryReynolds commented

LAPS PASSWORD

HOW allows the domain administrator to not see the local password through the lapse of time

windows-serverwindows-10-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Are you trying to block domain admins from seeing the LAP password stored in AD?

0 Votes 0 ·

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello,

one step is to grant users and groups the permissions to read local administrator passwords, stored in Active Directory. For example, you want to grant read password permissions to the members of AdmPwd group:

Set-AdmPwdReadPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd

In addition, you can allow a certain group of users to reset computer passwords (in this example, we give it to the same group — AdmPwd):

Set-AdmPwdResetPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd

Then you have to create a new GPO object and link it to the OU containing the computers on which you want to manage local administrator passwords.

Create a policy with the name Password_Administrador_Local using the following command:

Register-AdmPwdWithGPO -GpoIdentity: Password_Administrador_Local

Open this policy in the Domain Policy Management Console (gpmc.msc) and go to the following GPO section: Computer Configuration -> Administrative Templates -> LAPS.

Using LAPS to View Administrator Password
LAPS graphic interface (GUI) to view LAPS passwords must be installed on the administrator computers.

If you start the tool and specify the computer name, you can view the local administrator password and its expiration date.

Password expiration date can be set manually, or leave this field empty, and by clicking Set specify that the password has already expired.

Also, you can get the computer password using PowerShell:

Get-AdmPwdPassword -ComputerName <computername>

think that local administrators’ passwords on all computers in some OU are compromised, you can generate new unique local admin passwords for all computers in the OU with a single PowerShell command. To do this, use the the Get-ADComputer cmdlet:

Get-ADComputer -Filter * -SearchBase “OU=Desktops,OU=NY,OU=USA,DC=woshub,DC=com” | Reset-AdmPwdPassword -ComputerName {$_.Name}

Similarly, you can display a list of current passwords for all computers in the OU:

Get-ADComputer -Filter * -SearchBase “OU=Desktops,OU=NY,OU=USA,DC=woshub,DC=com” | Get-AdmPwdPassword -ComputerName {$_.Name}




--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.