none
Laps (Local admin password solution) Queries RRS feed

  • Question

  • Hi

    Laps (Local admin password solution)

    I have deployed but having one issue

    Also have some queries, I’ve read the documentation available online but still not clear to me.


    Issue:

    Somehow laps removes a digital cert from the cert store of machines.
    I know this sounds unrelated and unlikely but ive tested and can confirm every time laps is onboarded that cert is removed.


    Query:

    1) Does the laps clients server end need to be installed on every DC or just the one ?
    e.g. does the laps client need to be directly Installed and present on the DC that the end user is authenticating to ?

    2) I’ve ran the Laps schema update command but is running that command once on on DC adequate or does it need to be run on the other DC’s also ?
    I doubt it but need to be sure.

    3) Upon deployment of Laps via GPO I can see the GPO has been deployed but I cant see the laps client install in the control panel of the workstation

    Is there an easy way to tell if laps has been deployed on that workstation ? e.g. look for file in folder etc.



    confuseis

    Monday, September 16, 2019 2:14 PM

All replies

  • Hi Confuseis,

    1) None. The Fat client UI is totally optional. It's not use to authenticating, it's just a Support tool oriented GUI.

    2) Nope. When you update the schema, all DCs are updated (cause there is only one AD Schema used by all DCs)

    3) I see, mistake. The FAT UI client is not a tool for end-user, it's a tool for Support Group. Moreover, by default, you must be member of Domain Admins Group to see the password. By this solution, you ensure that you have distinguished password for all computers ...  and noone can use the local Admin account ... without the appropriate rights.

    LAPS is alos a granular solution.

    olivier

    Monday, September 16, 2019 2:26 PM
  • Hi

    Regarding 3)

    I was not looking to deploy the the FAT UI to the end users workstation just the bare client with the default settings which I assume is enough to have the workstation reset its own password.    

    I was looking for a way to tell from the workstation  if the install had completed successfully


    confuseis

    Monday, September 16, 2019 3:07 PM
  • Inspired by this PS-script-to-get-and-reset

    Query AD : $pw = Get-AdmPwdPassword -ComputerName $ComputerName

    If ($pw) ==> Check the $pwd.ExpirationTimestamp, and if it's not the current Date, force a GPUpdate on the remote computer.

    Olivier





    Monday, September 16, 2019 4:55 PM
  • Hello confuseis,
    Thank you for posting in our TechNet forum.

    Here are the answers for our questions:

    1) Does the laps clients server end need to be installed on every DC or just the one ?
    e.g. does the laps client need to be directly Installed and present on the DC that the end user is authenticating to ?

    A1: No, we can install it on just one DC.
    In my AD test environment, I only installed the LAPS on PDC (I have 3 DCs——PDC, another writable DC and one RODC).


    2) I’ve ran the Laps schema update command but is running that command once on on DC adequate or does it need to be run on the other DC’s also ?
    I doubt it but need to be sure.

    A2: We just need to run it on one DC where we install the LAPS (it is PDC for me).


    3) Upon deployment of Laps via GPO I can see the GPO has been deployed but I cant see the laps client install in the control panel of the workstation.

    A3: We can troubleshoot as below:

    1. The LAPS has LAPS.x64.msi and LAPS.x86.msi.

    We need to check the workstation is x64 or x86, then download the corresponding the .msi file.

    2. Then we need to put the .msi file to one folder, and share this folder.



    3. Create one OU and put the machines we want into this OU.

    4. Create a GPO and link this GPO to the OU in step 3.

    5. Edit the GPO, navigate to Computer Configuration\Policies\Software Settings\Software installation



    6. Restart one machine in step 3 and check whether the LAPS has been installed.


    >>Is there an easy way to tell if laps has been deployed on that workstation ? e.g. look for file in folder etc.

    If we have deployed the LAPS successfully, we can see the local administrator password through LAPS UI on DC, PowerShell command or the computer Properties.





    For more deployment steps we can refer to the following two similar case.

    LAPS Implementation Issue

    LAPS Not showing password




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 17, 2019 4:23 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 19, 2019 5:56 AM
    Moderator

  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 23, 2019 10:14 AM
    Moderator