none
LAPS Local Admin Group Policy Management

    Question

  • Hi all,

    Apologies in advance if this doesn't make any sense I'll try and be as clear as possible. This has been driving me mad for months and I don't know the best way around it.

    First of all we have a GP that creates a local administrator account, and a set password which is pushed to our field users if they get stuck in a pickle! We know that this is a security risk so have attempted to patch with LAPS. However what we'd ideally like to do is keep the existing policy in place with the named local admin account we use and have LAPS take over the password management of that account. But for the life of me I can't see how to get this working.

    I can't create a new account with the same name via GP with no password as it won't allow me to create an administrator account with no password (obviously). The current account with the set password seems to take precedence over LAPS so even though a password is being generated it doesn't allow me to log in with that password, and finally I have attempted to create a Admin group, and add a normal user to that group with a blank password but I get errors in Event Viewer about password complexity so won't work either.

    Is it possible to manage this named local admin account through Group Policy at all or will we have to script it some other way? We don't want to use LAPS on the built in Administrator account if we can help it.

    Tuesday, February 07, 2017 10:12 AM

All replies

  • Hi,
     
    Am 07.02.2017 um 11:12 schrieb Fariah2017:
    > [...] However what we'd ideally like to do is keep the
    > existing policy in place with the named local admin account we use and
    > have LAPS take over the password management of that account.
     
    This is not possible.
     
    1.)
    GPO GPP "Local Users and Groups" runs every computer startup in
    foreground and every background process.
    The password set by LAPS will be overwritten by GPP.
     
    2.)
    MS14-025 as a security patch will disable functinality to set password
    in GPP.
     
    3.)
    You can avoid installing MS14-025 and let the GPP run once only.
    But, that makes no sense. Set it "once" by GPP and let it be overwritten
    directly by LAPS. What for?
     
    Solution:
    - install MS14-025
    - do NOT use GPP preferences password settings
    Very easy to get plaint text password:
    - use LAPS and provide long expiration time, provide the Laps UI for all
    users who are allowed to read the password
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    gp-pack PaT - Privacy and Telemetry on Windows 10
     
    Tuesday, February 07, 2017 11:04 AM
  • Hi,
     
    Am 07.02.2017 um 11:12 schrieb Fariah2017:
    > [...] However what we'd ideally like to do is keep the
    > existing policy in place with the named local admin account we use and
    > have LAPS take over the password management of that account.
     
    This is not possible.
     
    1.)
    GPO GPP "Local Users and Groups" runs every computer startup in
    foreground and every background process.
    The password set by LAPS will be overwritten by GPP.
     
    2.)
    MS14-025 as a security patch will disable functinality to set password
    in GPP.
     
    3.)
    You can avoid installing MS14-025 and let the GPP run once only.
    But, that makes no sense. Set it "once" by GPP and let it be overwritten
    directly by LAPS. What for?
     
    Solution:
    - install MS14-025
    - do NOT use GPP preferences password settings
    Very easy to get plaint text password:
    - use LAPS and provide long expiration time, provide the Laps UI for all
    users who are allowed to read the password
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    gp-pack PaT - Privacy and Telemetry on Windows 10
     
    Tuesday, February 07, 2017 11:37 AM
  • Hi,
    If I understand correctly, the scenario is that you create local admin accounts via group policy, and use LAPS to manager the local admin accounts’ password, but password complexity error is returned, am I right?
    As far as I know, the default passwords complexity for LAPS is14 chars and a password age of 30 days, it might conflict complexity of your environment. In this case, you could adjust the complexity of LAPS to meet the same requirement, please follow the suggested solution in the following article to see if it helps you:
    https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-2.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, February 08, 2017 3:31 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 13, 2017 9:40 AM
    Moderator