locked
How to set same local administrator password via LAPS RRS feed

  • Question

  • How to set same local administrator password via LAPS.

    I have setup LAPS (Local administrator password solution) on server 2012R2, it is generating different password for every system, please help with reset same local administrator password.

    Regards,

    keval   

    Tuesday, September 19, 2017 4:55 AM

All replies

  • Hi Keval,

    The main purpose of LAPS is to migrate from your "same password configuration on every machine" to a randomized password on every machine configuration.

    To deploy the same password on every machine with LAPS wouldn't make much sense, and as far as I know it's not even possible.

    Just keep in mind that the same local password on all domain-wide computers would be a security risk.


    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, September 19, 2017 6:53 AM
  • Hi,

    As RabanserD said, you want to un-randomized a randomized system that you (or previous employee) have deployed. I think, from what you want to do, you need to reevaluate some questions :

    1) Do you need LAPS ?

    2) Do you want LAPS ?

    3) Is LAPS the best solution for you ?

    4) Why do you want to reunify passwords ?

     

    Those questions are very important for you, because you try to make a different result than LAPS provides you.


    The key of learning is practice.

    Wednesday, September 20, 2017 12:03 AM
  • Hi Arnaund

    I want LAPS in our domain environment with same password.

    Please suggest. 

    Wednesday, September 20, 2017 5:04 PM
  • Hi Keval,

    Please look at this (from Microsoft documentation) :

    "For environments in which users are required to log on to computers without domain credentials, password management can become a complex issue. Such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack. The Local Administrator Password Solution (LAPS) provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords. 

       
      LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.
       
      Use LAPS to automatically manage local administrator passwords on domain joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure. The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration."

      I can not give you a trick or any solution for "how to use LAPS with same password", because it is not possible. It IS the objective of LAPS to assure administrators to NOT have the same password.

       

      I can show you another way by PowerShell to do your request but not by LAPS.

       


    The key of learning is practice.


    • Edited by arnaud.helin Wednesday, September 20, 2017 8:29 PM
    • Proposed as answer by arnaud.helin Monday, October 23, 2017 10:43 PM
    Wednesday, September 20, 2017 8:28 PM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Tobias Fang

    Monday, October 16, 2017 9:47 AM
  • Keval,

    LAPS is used when you required to have a random/different password that you will be using <g class="gr_ gr_120 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="120" id="120">as</g> <g class="gr_ gr_138 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="138" id="138">local</g> administrator for your computers in the environment. If you required the same password for all the machines on WS 2012, you can create a GPO.

    Computer Configuration> Windows Settings> Control Panel Settings> Local Users and Groups> 
    there you can create a New Local User Properties
    Action: Update
    provide the desire Admin name and password, apply it and it should be working.


    NOTE- prior applying the policy, make sure you create an OU that will be holding the client machines only not the Domain Controllers.

    Friday, January 18, 2019 7:01 AM
  • Hi Keval,

    LAPS is used when the requirement is to generate random local administrator passwords for the client machine.

    As per your requirement, you can simply create a GPO and that should be working.

    Note- Make sure that you create an OU that will be having the client machine you want to have same passwords for. The OU should not contain any Domain Controller.

    Here is the path for the GPO:-

    Computer Configuration> Windows Settings> Control Panel Settings> Local Users and Groups> 
    there you can create a New Local User Properties
    Action: Update
    provide the desire Admin name and password, apply it and it should be working.

    Thanks

    Jaskirat Singh

    Friday, January 18, 2019 7:05 AM
  • ere is the path for the GPO:-

    Computer Configuration> Windows Settings> Control Panel Settings> Local Users and Groups> 


    No, you cannot. At lest not if you are patching your systems... The password option in Preferences was removed back in 2014! (Security update MS14-025)

    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq

    Friday, January 18, 2019 7:29 AM