none
Local Administrator Password Solution (LAPS) - Offline Computers RRS feed

  • Question

  • My organization has about 100 remote users that do not work inside one of our offices. They connect to VPN when they need to access network resources. We want to implement LAPS, but are curious what happens in the event that the computer is NOT connected to our VPN when the password expiry time is up. Does the local password still update without writing the new password to AD? I feel this would cause problems. Anyone have any insight?

    Thanks.

    Monday, June 29, 2015 6:44 PM

Answers

  • From the description of how it works on the download page it only acts during a GPO update. This requires your connectivity to AD to happen so it wouldn't run unless it has VPN access. Sounds like it should work for you.

    Brian

    https://www.microsoft.com/en-us/download/details.aspx?id=46899

    How does LAPS work?
    The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:
    • Checks whether the password of the local Administrator account has expired.
    • Generates a new password when the old password is either expired or is required to be changed prior to expiration.
    • Validates the new password against the password policy.
    • Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
    • Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
    • Changes the password of the Administrator account.
    The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

    Monday, July 6, 2015 6:04 PM

All replies

  • From the description of how it works on the download page it only acts during a GPO update. This requires your connectivity to AD to happen so it wouldn't run unless it has VPN access. Sounds like it should work for you.

    Brian

    https://www.microsoft.com/en-us/download/details.aspx?id=46899

    How does LAPS work?
    The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:
    • Checks whether the password of the local Administrator account has expired.
    • Generates a new password when the old password is either expired or is required to be changed prior to expiration.
    • Validates the new password against the password policy.
    • Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
    • Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
    • Changes the password of the Administrator account.
    The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

    Monday, July 6, 2015 6:04 PM
  • From understanding, computer will only start getting LAPS' password when all these components are set up (AD Schema has been updated):

    1. LAPS client installed on computer +

    2. AD permission has been configured on the computer containing OU +

    3. LAPS GPO linked to the same OU.

    Without any of the above component, the computer shall NOT generate LAPS' password (the existing password for Local Administrator account will remain/not being change). May I know if I understanding this correctly?

    In that case, we could plan the LAPS deployment to happen in stages. Where we could actually:

    1. Install LAPS client on ALL the workstations. Then,

    2. configure AD permission + link the LAP GPO in phases, I.E different days.

    Computers within the OU will start to generate LAPS' password only after step number 2 is performed.

    yes?

    Thank you

    Friday, June 3, 2016 1:18 AM