LAPS - Passwords are stored in clear-text in AD attribute RRS feed

  • Question

  • Hi

    Need help

    While testing the LAPS , we found the Disadvantage

    Passwords are stored in clear-text and may be exposed

    ms-Mcs-AdmPwd  : xxddf22333

    The password in the Attributes is exposed and we afraid maybe will compromise if not properly handled

    Question :

    is there a way that can masking/hide the password in the AD attributes like a example below  

    ms-Mcs-AdmPwd  : *********

    Please advise


    Tuesday, March 14, 2017 11:20 AM

All replies

  • You should be looking at ADCE ( Active Directory Client Extensions ) by Synergix http://www.synergix.com .  It stores min 16 character long and complex passwords in encrypted format.  It follows the principle of least privileges and even excludes Domain Admins from password retrieval capabilities unless they explicitly add their account to specific security group.

    In advanced configuration, you can even limit the domain controllers on which this encrypted data stored in confidential attribute is replicated.

    Friday, March 17, 2017 4:14 AM