This post is going to show one of the many ways to successfully implement Microsoft LAPS in your environment.

Audience

This post is written for windows security professionals who are familiar with what Microsoft LAPS is.

Introduction

In a nutshell it’s a Microsoft option that can be used to manage local administrator password across domain environment.

More details are found below.

Firstly let me start with the use case from security perspective or the challenge that face big organization when discussing how LAPS could be implemented.

Scenario

  • Suppose for operational reasons or for nature of your organization’s business that local administrator password is shared across some desktop technicians
  • Now suppose you are a windows security professional and decided to implement Microsoft LPAS to control local administrator password on all end point windows machines.
  • Suppose your organization has big number of desktop machines and spread to multiple physical locations.

The challenge

How would the help desk technician get local administrator password once control be only with LAPS? Options are:

  1. May be it is decided that they get access to the small tool called “LAPS UI” to get any password within their authorization ?
  2. May be it is decided that the technician has to call service desk to provide him with the requested machine’s password?

However, given nature of many organization those two options might add extra load or might be seen as inefficient!

So what other approach could be implemented to make it easy get the local administrator password in fast and easy way?

Steps

By simply utilizing Exchange EWS we can build following logic (of course once idea is clear you can customize the logic by adding extras based on your information security needs)

  1. A technician urgently needs to login to one desktop machine with local administrator
  2. The technician will send just one simple email to a given mailbox (for example: laps@domain.com ) and put machine name in subject field
  3. Once that email lands to the laps mailbox (laps@domain.com) the below script that utilizes EWS will simply take the email subject as a variable and query active directory to retrieve administrator password for that machine then reply back to same “sender” with requested password immediatelyThis makes it very easy to get any password (of course with restrictions in mind by who can request) at any time without the need to call service desk or call admins and in same time keeping flexible logging capabilities for tracking purposes like to know who requested for which machine at which time.

Script

Following script can be used and run in many ways including a as a scheduled task

Pre-requisites to run successfully run the script:

  1. download and install the Exchange Web Services Managed API. from here
  2. Download laps and install laps management tools. from here
  3. Create dedicated mailbox to receive requests from technicians (in this script mailbox created called “LAPS”
  4. Create a folder in that mailbox called “processed” where all processed requested emails will be moved to.

first we will import module and set reference objects like credentials and ewsservice as well as EWS URL to easily reference it laterImport-Module -Name 

Import-Module -Name "C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll"
$Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials("laps","XXXXXX","domain.com")
$exchService = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService
$exchService.Credentials = $Credentials
$exchService.Url = "https://mail.domain.com/EWS/Exchange.asmx"
$PSEmailServer = "smtpserver.domain.com"