LAPS has always been a good solution for local admin password management requirements.
But it is only working with on-prem active directory where we have feasibility to store the passwords in any of the available attributes.
When it comes to finding something same for Azure AD devices, Microsoft has not given anything yet for this.
I tried many blogs and websites as well as tried script something to tackle this situation where I can use this while implementing Autopilot with Intune.
And thanks to Alex Link who created a wonderful script and I found it very helpful in my case.
Requirements:
- Targeted devices must be running on latest Windows 10, in my case I have only tested it on 1809 build so far.
- For MDM I have used Intune, during implementing Autopilot.
- It also requires Azure subscription with storage account Link for BLOB and Azure tables (to store the password in place of AD attributes).
Now let me tell you the process….
Need to understand that how it works actually?
First, it requires LAPS application should be installed on the device, it can be achieved through script which I will be mentioning below or with the existing process, but the problem is with existing process, you can not control what should go first? Because when reset script run LAPS must be available on the device on first hand.
So, lets do everything with the help of scripts. It will go in few simple steps:
Step 1:
First, LAPS application Link upload to BLOB storage Link and get the SAS signature Link , that will be used in script to download it from BLOB.
Link to download first script.
Step 2:
First script will run on the device under system context and will request the executable file on the device and install it.
Step 3:
Once installed, second script (which will run immediately after completing the installation in first script, which is already getting triggered in the end of first script) will reset the targeted local admin passwords and it will be saved into Azure tables safely, need not to worry about the password travel, will be secured with HTTPS.
Script will also install a schedule task that will change the password every 3 months. But only if the device has the internet access.
Link to download second script.
Step 4:
Now it comes to retrieving the passwords, whenever it’s the requirement. Here is the last script comes in picture, you can convert this script into application to provide to your helpdesk so script would not be exposed. Retrieval of the password is also secured, even if somebody gets the access of storage tables, password will not be visible in clear text.
Link to download Getpassword script.
And this is how you will get the result once the get password application runs:
Please feel free to reach out to us if you have any queries and need any help with above solution or any other help related to Microsoft technologies.
Hi Dinesh,
really useful post, please have a look at https://www.srdn.io/2018/09/serverless-laps-powered-by-microsoft-intune-azure-functions-and-azure-key-vault/ im currently using that one because it utilizes the key vault instead of blobs.
Cheers
LikeLike
Hi Jose, first of all thanks for reading my blog and sharing another way to acomplish this. Does your way schedule the task as well to reset the password for targeted frequencies?
LikeLike
Can we do it with Multiple local admin accounts
LikeLike
I can check and let you know.
LikeLike
Yes, you can do it with Multiple local admin accounts as well, I have tested and it is working, try and let me know.
LikeLike
Hi Dinesh,
Why do you actually install LAPS on the computers? As I can understand, it just gets installed but doesn’t really do anything after it is installed. Script number two generates the password, sets it on the administrator account(s) and uploads the password to Azure Tables. Is there something that I am missing?
Looking forward to your reply
LikeLike
First of all apologies for delay in response.
This is meant only for managing local admin passwords, it resets the local admin password and also schedules a task which will be resetting the password after every 60 days (you can set it whatever you want). IT help desk people who sometimes needs local admin password to troubleshoot on local computer also that password should not be the same forever, the way you have to reset the domain password after each cycle.
For more information: What does Microsoft LAPS do and not do?
LAPS provides the ability – via Group Policy – to randomize the password for a local admin account on a remote system joined to the domain. Policies control who can access the password. These passwords are then stored against the machine object in Active Directory and can be retrieved when access is needed to the account.
LAPS requires the system be on the domain, have a client-side extension loaded, and can ONLY manage the local admin account (even if it is renamed). LAPS does have the benefit of not requiring a functional account, and it is integrated into Active Directory. It does require a Client-Side Extension (CSE) on the client in order to function. In a nutshell, MS LAPS:
Does not support any other account/password changes besides the local admin
Does not support UNIX, Linux or OS X Mac accounts – only Windows
Does not offer any features for workflow, reporting, session monitoring, etc.
LikeLike
Here’s a “Password Rotation As a Service “solution that supports Azure AD joined computers, On Premises AD joined computers and soon to support Workgroup computers, MAC, UNIX systems too.
Secrets Vault by Synergix with special pricing for Edu and for Not-for-Profit organizations
https://www.synergix.com/products/secrets-vault/features/laps-for-azure-ad/
1. Password Rotation As a Service ( 3 local accounts )
a. Built-In Administrator Account
b. Alternate Administrator Account ( non S-500 account )
c. Restricted User Account
2. Inventory Information, used for correlation and data analytics
3. Auditing / Security Event Logs Forwarding
Know Who, What, When, Where, Why retrieve administrator password and actually used it for interactive logon or network logon purposes.
LikeLike
Thanks for sharing such a good alternate of password rotation solution, but it is paid.
I tried something which can be achieved with existing resources. But glad to see such researches on this solution.
LikeLike
Hi Dinesh,
You did not answer why LAPS is required in this case.
I checked Alex blog, everything is done with 3 scripts he has created.
The only one issue I see with these 3 scripts is that SAS Key in the script in plain text.
The rest is straight forward.
kind regards,
Ozzy
LikeLike
Hi Ozzy,
I have followed the same scripts, he is also installing LAPS client, can you help me to understand what I am missing here?
Thanks,
Dinesh
LikeLike