Local Administrator Password Solution (LAPS):
is a Microsoft product that manages the local administrator password and stores it in Active Directory (AD). This solution automatically updates the password on a routine basis. The Microsoft Infrastructure (MI) team has implemented the LAPS schema extensions and created a default set of permissions to retrieve a password stored in AD.Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
LAPS Architectural Diagram:
Deployment Steps :
Security
- Random password that automatically regularly changes on managed machines
- Effective mitigation of Pass-the-hash attack
- Password is protected during the transport via Kerberos encryption
- Password is protected in AD by AD ACL, so granular security model can be easily implemented
Manageability
- Configurable password parameters: age, complexity and length
- Ability to force password reset on per-machine basis
- Security model integrated with AD ACLs
- End use UI can be any AD management tools of choice, plus custom tools (PowerShell and Fat client) are provided
- Protection against computer account deletion
- Easy implementation and minimal footprint
Requirements
- Active Directory:
- Windows 2003 SP1 and above
- Managed/Client machines:
- Windows Server 2016
- x86 or x64
- Windows Server 2012 R2 Datacenter
- Windows Server 2012 R2 Standard
- Windows Server 2012 R2 Essentials
- Windows Server 2012 R2 Foundation
- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows Server 2012 Datacenter
- Windows Server 2012 Standard
- Windows Server 2012 Essentials
- Windows Server 2012 Foundation
- Windows 8 Enterprise
- Windows 8 Pro
- Windows Server 2008 R2 Service Pack 1
- Windows 7 Service Pack 1
- Windows Server 2008 Service Pack 2
- Windows Vista Service Pack 2
- Microsoft Windows Server 2003 Service Pack 2
- Itanium NOT supported
- Management tools:
- .NET Framework 4.0
- PowerShell 2.0 or above
https://www.microsoft.com/en-us/download/details.aspx?id=46899
