Microsoft LAPS: Lab vs Production

I have been looking into managing our local machine admin accounts for a while now, and as luck would have it Microsoft recently released their Local Administrator Password Solution (LAPS).

The folks over at flamingkeys.com have a great write up on installing LAPS.  And Microsoft themselves provided useful documentation with their LAPS Operations Guide, although they didn’t make it obvious where to find this document.  Using a combination of these resources, I was able to set up LAPS in my lab environment, and although a little tedious to setup, everything worked well.  Then I tried to set it up in production…

Gotcha #1:  Finding Microsoft’s Documentation

Granted, this one is probably a minor gotcha in the grand scheme of things.  If you go to Microsoft’s download page for LAPS you will find the software, and in my case I expanded the Install Instructions header and saw a reference to the Operations Guide.  I found myself scratching my head though as to where this guide could be found.  As it turns out, once you click on Download, you are presented with a list of files to download.  In addition to both x86 and x64 versions of the installers, there are some word docs including the Operations Guide.  I felt a little dumb after that.

Gotcha #2:  Are you updated?

In researching this, somewhere I read to make sure that your server is patched and updated.  My lab server is running Server 2012 R2.  Everything went fine with it.  My production server is running Server 2008 R2.  It gets regular updates from WSUS, so I figured everything would be fine.  Wrong…

First, make sure you are running a current version of Powershell.  We were running version 2.  I went ahead and updated to Powershell 4.  Version 3 may work, I don’t know.  I just decided to use version 4 since it’s the current version, and was also the version running on my 2012 R2 lab server.

Second, you may need to update the .NET Framework.  The LAPS UI needs .NET 4.0  to run.  It conveniently does not tell you this until after the install, and you try and run it the first time.  But wait…  If you are going to install Powershell 4, you will need .NET 4.5 for that, so might as well just jump to that one.

Gotcha #3:  The Administrative Template Won’t Install

When you run the LAPS installer, you are given the option of installing the Group Policy administrative template.  For some reason on my server, this just didn’t work.  And I hate to say it, but I’m not sure why.  I have my suspicions, but I got it to work, and that’s the important thing.

To do this, I installed the administrative templates on my local machine.  I then manually copied the files to the central store.  If you are not familiar with this process (or just need a refresher like I did), first find these two files on your local machine :

Now, copy them to their respective locations on your central store:

Gotcha #4:  The password is not updating.

This is another one that made me feel dumb after I realized what was going on.  When I set up the password policy in production, I dialed the complexity down for testing purposes with the intention of changing it back once I was sure that everything was working.  I set the length to 8 and the complexity to only large letters.  When I set up LAPS in the lab, the generated passwords were a pain in the butt to type in, so I wanted to keep it simple for now.

After doing this, I found that everything else seemed to be working, but a password was not being generated for my test machine.  I looked into the logs of the machine, and found this:

Validation failed for new local admin password against local password policy. Error 0x80070a90.

I didn’t even have to look it up.  Essentially, the password was being generated, but the password did not meet the complexity requirements of the machine’s own local group policy.  Once I dialed up the password complexity settings again, everything worked like it was supposed to.

 

3 Comments

  1. Ryan

    Nice post. We’re looking at deploying LAPS as well. Any updates as to how everything is working now that it is has been implemented for a while?

    1. james (Post author)

      We’ve only had to use is a couple of times, but there are a couple of things that I could add.

      Since we dropped the use of the administrator account in favor of something else, it’s real easy to forget that and try and use administrator for the username. It can also be really tedious to type in those scrambled passwords.

      We also had an instance where a guy was working remotely from another state with one of our laptops. We had an issue where he needed to log in with the local admin account because it was either that or have him send the laptop back. It was nice to know that I could just set the password to expire in the LAPS UI and a new one would be generated. Or even if I forgot to do that, it would eventually expire on it’s own.

      1. Ryan

        Appreciate the feedback. We are going to be doing this soon.

Comments are closed.