LAPS_Enterprise_OperationsGuide
advertisement
Enterprise Operations Guide
Management of password of local Administrator account
Version 7.2.0.0
Prepared by
Tom Ausburne
Jiri Formacek
Zbigniew Kukowski
Petr Plodik
Maciej Perkowski
Table of Contents
1 Quick Start Guide .................................................................................................. 1
1.1
Requirements ....................................................................................................................... 2
1.1.1
Admin Tools ............................................................................................................................... 2
1.1.2
Client .......................................................................................................................................... 2
1.1.3
Password Decryption Server ...................................................................................................... 2
2 Installation ............................................................................................................ 3
2.1
Management Computers ..................................................................................................... 5
2.2
Managed Clients ................................................................................................................... 7
3 AD Preparation.................................................................................................... 16
3.1
Modifying the Schema ........................................................................................................ 16
3.1.1
Multi-Forest Support ............................................................................................................... 17
3.2
AD Permissions model ........................................................................................................ 17
3.3
Extended rights ................................................................................................................... 17
3.4
Permissions ......................................................................................................................... 19
3.4.1
Adding Permissions for PDS ..................................................................................................... 19
3.4.2
Adding AD permissions for managed machines ...................................................................... 20
3.4.3
Adding Password Reader Rights .............................................................................................. 20
3.4.4
Adding Password Resetter Rights ............................................................................................ 21
3.4.5
Multi-Forest Support ............................................................................................................... 21
4 Password Decryption Service ............................................................................... 22
4.1
Keypairs .............................................................................................................................. 23
4.2
Service Account Discovery.................................................................................................. 24
4.3
Auditing of CryptoKeyStorage folder ................................................................................. 25
4.4
Multi-Forest Support .......................................................................................................... 30
5 Group Policy ........................................................................................................ 31
5.1
Enable Local Admin Password Solution.............................................................................. 31
5.2
Changing the Group Policy Settings ................................................................................... 32
5.2.1
Multi-forest Support ................................................................................................................ 35
6 Managing Clients ................................................................................................. 36
6.1
Viewing password settings in Active Directory Users and Computers............................... 36
6.2
Fat Client............................................................................................................................. 38
6.2.1
Standalone Installation ............................................................................................................ 38
6.2.2
Fat Client Network Installation ................................................................................................ 40
6.2.3
Fat Client Active Directory Users & Computers Integration .................................................... 41
6.3
Retrieving passwords with PowerShell .............................................................................. 46
6.4
Password Maintenance ...................................................................................................... 46
6.5
6.4.1
Resetting the Password ........................................................................................................... 46
6.4.2
Managing Password History .................................................................................................... 49
Web Portal .......................................................................................................................... 49
6.5.1
IIS prerequisites ....................................................................................................................... 50
6.5.2
Kerberos Constrained Delegation configuration ..................................................................... 50
6.5.3
Web Portal installation ............................................................................................................ 53
6.5.4
Creating the WebPortal website ............................................................................................. 54
6.5.5
Modifying the WebPortal Webpage ........................................................................................ 56
7 Auditing .............................................................................................................. 60
8 Troubleshooting .................................................................................................. 60
8.1
8.2
Event Logging and Auditing ................................................................................................ 60
8.1.1
Client Logging .......................................................................................................................... 60
8.1.2
Client Event IDs ........................................................................................................................ 61
8.1.3
LAPS Service Logging................................................................................................................ 63
Problem Scenarios .............................................................................................................. 66
1
Quick Start Guide
The following are a list of the major steps that need to be completed to install LAPS-E. Commands
are single lines and have been wrapped for readability. Detailed information for each step is located
in the referenced section.
1. Install Management Tools
( 2.0 Installation )
Msiexec /i LAPS.Ent.Setup.<platform>.msi
ADDLOCAL=Management.PS,Management.ADMX,Management.UI
2. Modify the Active Directory Schema ( 3.1 Modifying the Schema )
Update-AdmPwdADSchema
3. Create Groups and add members ( 3.3 Permissions )
4. Add Service Account Permissions ( 3.3.1 Adding Service Account Permissions )
Set-AdmPwdServiceAccountPermission –Identity <name of the OU to delegate
permissions> -AllowedPrincipals <name of Password Decryption Service Servers Group>
5. Add Machine Rights
( 3.3.2 Adding Machine Rights )
Set-AdmPwdComputerSelfPermission -Identity <name of the OU to delegate permissions>
6. Add Password Reader Rights
( 3.3.3 Adding Password Reader Rights )
Set-AdmPwdReadPasswordPermission -Identity <name of the OU to delegate permissions>
-AllowedPrincipals <name of Password Readers Group>
7. Add Password Resetter Rights
( 3.3.4 Adding Password Resetter Rights )
Set-AdmPwdResetPasswordPermission -Identity <name of the OU to delegate
permissions> -AllowedPrincipals <name of Password Resetters Group>
8. Install Password Decryption Service ( 4.0 Password Decryption Service )
9. Generate keypairs
( 4.1 Keypairs )
New-AdmPwdKeyPair -KeySize <Keysize of 1024, 2048 or 4096>
10. Edit Group Policy
( 5.0 Group Policy )
11. Distribute Software to clients ( 2.2 Managed Clients )
1.1
Requirements
1.1.1
1.1.2
1.1.3
Admin Tools
.NET Framework 4.0
PowerShell 3.0 or newer for command line management
IIS 7 or newer for Web UI
Client
Only x86 and x64 supported (no Itanium, no ARM)
Any supported Windows client and server Operating System
Password Decryption Server
Dedicated server (preferred but not mandatory)
Virtualization supported
Server sizing: Any CPU and RAM that supports Windows
2
Installation
There are three parts to the installation:
-
the management computers
clients you want to manage
Password Decryption Service
The installation of binaries and related files is handled by the MSI package. This will install the
following:
-
-
GPO CSE: must be present on each managed machine
Management tools:
o Fat client UI
o PowerShell module AdmPwd.PS
o Group Policy Editor admin templates
Password decryption service
The default behaviour is to install the CSE only. The management tools are installed on demand.
File Reference
CSE
The installation for the CSE is done to folder:
%ProgramFiles%\AdmPwd\CSE
AdmPwd.dll
Fat Client UI
The installation for the Fat client UI is done to folder:
%ProgramFiles%\AdmPwd
AdmPwd.ServiceUtils.dll
AdmPwd.UI.exe
AdmPwd.Utils.config
AdmPwd.Utils.dll
PowerShell Module
The installation for the PowerShell module is done to folder:
%WINDIR%\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS
AdmPwd.PS.dll
AdmPwd.PS.format.ps1xml
AdmPwd.PS.psd1
AdmPwd.ServiceUtils.dll
AdmPwd.Utils.config
AdmPwd.Utils.dll
%WINDIR%\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS\en-US
AdmPwd.PS.dll-Help.xml
Group Policy template
The installation for the Group Policy files is done to folders:
%WINDIR%\PolicyDefinitions
LAPS.E.admx
%WINDIR%\PolicyDefinitions\en-US
LAPS.E.adml
Password Decryption Service
The installation for the PDS files is done to folder:
%ProgramFiles%\AdmPwd\Svc
AdmPwd.PS.dll
AdmPwd.Service.exe
AdmPwd.Service.exe.config
AdmPwd.Service.Messages.dll
AdmPwd.Utils.config
AdmPwd.Utils.dll
2.1
Management Computers
Extract the files from the Installers.zip to a folder. There will be two files, LAPS.Ent.Setup.x64.msi
and LAPS.Ent.Setup.x86.msi. Copy these files to a working directory. Double click on the
appropriate file to get started.
Click Next.
For the first machine you should enable all of the management tools.
Click Next.
Click Install.
Click Finish.
2.2
Managed Clients
This installation uses the same install files, LAPS.Ent.Setup.x64.msi and LAPS.Ent.Setup.x86.msi as on
the management computers. These can be installed/updated/uninstalled on clients using a variety
of methods including the Software Installation feature of Group Policy, SCCM, login script, manual
install, etc.
There are many command line options available to automate installation. For a complete list please
refer to the Technical Specifications.
An example that does a silent install and creates a custom local Administrator account is:
msiexec /i LAPS.Ent.Setup.<platform>.msi CUSTOMADMINNAME=<name of new admin
account> PROTECTBUILTINADMIN=true /q
Using the CUSTOMADMINNAME and PROTECTBUILTINADMIN parameters will create a new local
administrator account and set the existing Administrator’s password to a complex random
password.
Installation using Software Installation feature of Group Policy
Before Group Policy is created, MSI File Transform files (MST) must be created with modifications of
the MSI properties, e.g. using Orca software
Open ORCA tool and open MSI file
Start New Transformation
From the list on the left select Property. On the right there will be properties to edit:
CUSTOMADMINNAME and PROTECTBUILTINADMIN.
CUSTOMADMINNAME - type name of new local administrator account to be created.
PROTECTBUILTINADMIN – type true to randomize the existing Administrator’s password
e.g.
Generate Transformation file
Note: Transformation file has to be done separately for x64 and x86 versions of MSI files.
Create and edit a new GPO, go to Computer Configuration/Policies/Software Settings/Software
Installation and create a new Package:
Note: Two separate packages must be created: x86 and x64.
Select the package, it must be available on the network share accessible by all computers.
Select Advanced.
In the main window select tab Modifications.
Add the modification (MST) file prepared earlier for the specific package and click OK
For x86 package the entire procedure needs to be repeated in the same way with one exception.
After adding the x86 specific MST file, click Advanced Deployment Options and deselect:
“Make this 32-bit X86 application available to Win64 machines.”
Link the policy to the OU(s) with managed computers.
Note: To enhance security you can disable the local Administrator account using group policy. To do
so, open Group Policy Management Editor, navigate to Computer Policy | Windows Settings |
Security Settings | Local policies | Security Options and then set the Accounts: Administrator
account status setting to Disabled.
Once this is installed you can see it in Programs and Features.
A minimal install can be accomplished by copy AdmPwd.dll to the target computer and use this
command:
regsvr32.exe AdmPwd.dll
Note: If you install by just registering the dll it will not show up in Program and Features as shown
above.
Important: This installation option does not perform creation of custom admin account and does
not randomize password of built-in admin account. Those actions are available only via MSI
installation.
3
AD Preparation
All actions below need to be performed from management machine with PowerShell module
installed.
3.1
Modifying the Schema
The Active Directory Schema needs to be extended by three new attributes that store the password
of the built-in Administrator account for each computer, the timestamp of password expiration and
previous passwords for each computer. All three attributes are added to the may-contain
attribute set of the computer class.
ms-MCS-AdmPwd – Stores the current password
ms-MCS-AdmPwdExpirationTime – Stores the time to reset the password
ms-MCS-AdmPwdHistory – Stores previous passwords
To update the Schema you first need to import the PowerShell module. Open up an Administrative
PowerShell window and use this command:
Import-module AdmPwd.PS
Note: PowerShell module (AdmPwd.PS) id installed to $pshome\Modules\AdmPwd.PS folder.
Module is compiled for use with .NET Framework 4.0, however it is also compatible with .NET
Framework 2.0.
In Win2008R2 PowerShell below 3.0 (1.0 or 2.0) uses .NET 2.0 even when .NET 4.0 is available. In
such case it is recommended to install PS 3.0 (http://www.microsoft.com/enus/download/details.aspx?id=34595) or create a custom powershell.exe.config that includes the
following section:
<?xml version="1.0"?>
<configuration>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v4.0.30319"/>
<supportedRuntime version="v2.0.50727"/>
</startup>
</configuration>
Update the Schema with this command:
Update-AdmPwdADSchema
3.1.1
Multi-Forest Support
The Solution supports the delegation of permissions across forests, and the administrative tools
allow specifying the forest DNS names of where to look for the computer account to retrieve and
reset passwords. To enable multi-forest support, the Schema must be updated in each forest
separately. Install the PowerShell module and repeat the Schema modification in each forest to be
managed.
3.2
AD Permissions model
This is a summary of AD permissions necessary for the three attributes for successful operation of
the solution:
SELF:
o Read/write ExpirationTime
o Write Password and Password history
PDS Service account(s):
o Read/write Expiration time
o Read Password and Password history
AD administrators:
o Read/Write Password History
Other user accounts do not need to have any explicit permissions on any of those attributes – Ad
interaction is done via PDS and authorized using newly created extended permissions (see next
chapter)
Note: If you have an RODC installed in the environment and you need to replicate the value of the
attribute ms-MCS-AdmPwd and ms-MCS-AdmPwdHistory to the RODC, you will need to change
the 10th bit of the searchFlags attribute value for ms-MCS-AdmPwd schema objet to 0 (substract
512 from the current value of the searchFlags attribute). For more information on Adding
Attributes to the RODC Filtered Attribute Set, please refer to http://technet.microsoft.com/enus/library/cc754794(v=WS.10).aspx.
3.3
Extended rights
Two new extended rights are created in the Configuration Partition that are applicable to the
computer object. These rights are created when the Schema is updated.
Read Local admin password
Reset Local admin password
New permissions are used to authorize Read and Reset admin password operation for admin
accounts on specific computers: holders of those permissions are allowed to read and reset admin
password on specific computer.
By default, no one is granted any of those permissions (even Domain admins). Delegation of
permissions needs to be done as part of initial setup. PowerShell commands exist to simplify
delegation of permissions (see 3.4.3 and 3.4.4 for details)
3.4
Permissions
The Active Directory infrastructure offers advanced tools for implementation of the security model
for this solution by allowing for per-attribute Access Lists (ACLs) and implementing confidential
attributes for password storage.
The solution manages permissions in following way:
The ability to Read and Reset the Password is controlled by Extended permissions applying
to computer objects instead of by direct permissions to read/write AD attributes of
computer objects.
Generally, for solution implementation, 3 roles need to be implemented:
Password Decryption Service role: has permission to directly interact with AD
Password Reader role: has permission to read admin passwords via PDS
Password Resetter role: has permission to reset admin passwords via PDS
Best practice is to implement those roles by AD groups, so there are three Groups that need to be
created and membership populated. Group names are not specific and can be anything that works
for your organization. For this example we will use these:
LAPS Servers (Machines running the Password Decryption Service)
LAPS Readers (Users who need to read the Local Administrator Passwords)
LAPS Resetters (Users who need to reset the Local Administrator Password)
Note: In case if more granular delegation of rights is required, additional groups may need to be
created.
Note: Schema update needs to be in place before adding permissions.
3.4.1
Adding Permissions for PDS
There is a PowerShell cmdlet for granting permissions to the Password decryption service to read
and write information to Active Directory. This service runs under NETWORK SERVICE by default.
You may need to run Import-module AdmPwd.PS if this is a new window.
Set-AdmPwdServiceAccountPermission –Identity <name of the OU to delegate
permissions> -AllowedPrincipals <name of Password Decryption Group>
Note: <name of the OU to delegate permissions> is expected to work for any OU provided
that OU name is unique. Otherwise <Distinguished Name of the OU to delegate
permissions> should be used.
Repeat this procedure for any additional OUs that contain computer accounts that are in scope of
the solution and are not subcontainers of already processed containers.
If you are running the Password Decryption Service on a Domain Controller you need to also
delegate the Service Account permission to NETWORK SERVICE as the Domain Controller tends to
access the local instance of Active Directory in the security context of the NETWORK SERVICE
account, rather than computer account.
Set-AdmPwdServiceAccountPermission -Identity <name of the OU to delegate
permissions> -AllowedPrincipals "NETWORK SERVICE"
Note: Be sure to reboot the machine(s) running Password Decryption Service after making them
members of the group.
3.4.2
Adding AD permissions for managed machines
Managed machines access Active Directory using special well-known account SELF, so necessary
permissions (see 3.1 for details) have to be added to the SELF well-known account. This is required
so the machine can update the password and expiration timestamp of its own built-in Administrator
password on own computer accounts in AD. This is done using PowerShell. You may need to run
Import-module AdmPwd.PS if this is a new window.
Set-AdmPwdComputerSelfPermission -Identity <name of the OU to delegate
permissions>
Repeat this procedure for any additional OUs that contain computer accounts that are in scope of
the solution and are not subcontainers of already processed containers.
3.4.3
Adding Password Reader Rights
Add the extended permission Read Local Admin Password to the group that will be allowed to read
the local administrator’s password for managed computers. This is done using PowerShell. You may
need to run Import-module AdmPwd.PS if this is a new window.
Set-AdmPwdReadPasswordPermission -Identity <name of the OU to delegate
permissions> -AllowedPrincipals <name of Password Readers Group>
Use the same –Identity name(s) as in the previous command.
3.4.4
Adding Password Resetter Rights
Add the extended permission Reset Local Admin Password to the group that will be allowed to reset
the password of the local admin account for managed computers. This is done using PowerShell.
You may need to run Import-module AdmPwd.PS if this is a new window.
Set-AdmPwdResetPasswordPermission -Identity <name of the OU to delegate
permissions> -AllowedPrincipals <name of Password Resetters Group>
Use the same –Identity name(s) as in the previous commands.
3.4.5
Multi-Forest Support
Delegating rights between forests for the PDS and password Reader and Resetter Groups is
supported using Global and Universal groups only. Specify the AllowedPrincipals using the
“domain\group” syntax when granting rights to users and groups in other domains.
Ex:
4
Password Decryption Service
Responsibilities for Password Decryption Service are:
- Maintain RSA key pairs used for local admin password encryption and decryption stored in
AD
- Read and Decrypt local admin password for eligible users
- Perform Resets of local admin passwords on behalf of eligible users
Password Decryption Service is thus handling some interactions with AD infrastructure. Computers
don’t directly read directly from Active Directory, they only directly write. Instead the Password
Decryption Service maintains the decryption keys and is responsible for password reads and
decrypts, and for password resets.
The Password Decryption Service runs under the NETWORK SERVICE account by default, so it is
accessing Active Directory as the computer account it is running on. It uses its own security context
and does not perform delegation. The data transfer between PDS and AD and between PDS and its
clients is encrypted with Kerberos encryption. By default the PDS service listens for client requests
on port 61184/tcp (configurable).
Note: When the Password Decryption Service is hosted on a Domain Controller it accesses the DC as
NETWORK SERVICE rather than the computer account.
The Password Decryption Service is installable from the same MSI packages as management tools
and client side: LAPS.Ent.Setup.x64.msi and LAPS.Ent.Setup.x86.msi
4.1
Keypairs
To store encrypted passwords in Active Directory, a key pair must be created. For security, only the
Key Admin role can generate a new key pair. (By default the Key Admin role is defined as an
Enterprise Admin. This is configurable in the AdmPwd.Service.exe.config file). Keypairs are
generated using PowerShell. Upon request to generate keys, 2 files will be created in the configured
location:
1 file contains public key and is should be distributed to managed machines via GPO
1 file contains private key and is used by the Password Decryption machine(s)
The size of the generated keys is configurable; default minimum is 1024 bit. To generate a new key
pair use PowerShell. You may need to run Import-module AdmPwd.PS if this is a new window.
New-AdmPwdKeyPair -KeySize <Keysize of 1024, 2048 or 4096>
Key pairs are stored on the file system of the first machine running the Password Decryption Service.
Note: These keys will need to be manually copied to any additional machines running the Password
Decryption service.
To view the public key, use PowerShell to export it to a text file. You may need to run Importmodule AdmPwd.PS if this is a new window.
Get-AdmPwdPublicKey <keyId> |Export-csv <filename>
The public encryption key is the text located between the “ “ as seen below.
Copy the encryption key to the appropriate Group Policy (see chapter 4.3 for details on configuring
GPO)
4.2
Service Account Discovery
There is no need to configure clients to find the service. Autodiscovery is done via SRV records
automatically maintained by the Password Decryption Service.
Note: When PDS is running under NETWORK SERVICE account (this is default), then first instance of
PDS installed takes ownership of SRV record, preventing other PDS instances to maintain their data
on SRV record. It is necessary to grant PDS role group in AD necessary permissions on SRV record in
DNS:
After granting necessary permissions on SRV record to the group containing all PDS server accounts
(e.g. LAPS Servers) the additional instances of PDS may be implemented to allow High Availability
using DNS round robin local balancing mechanism. Additional SRV records are created automatically.
4.3
Auditing of CryptoKeyStorage folder
It is recommended to configure auditing of access to the
C:\Program Files\AdmPwd\Svc\ CryptoKeyStorage folder on all PDS servers.
Create a new GPO.
Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit
Policy Configuration/Object Access
Configure Audit File System to audit Success events
Apply GPO to PDS servers OU, refresh group policies on PDS servers, confirm that the policy is
applied.
On PDS Server(s) navigate to C:\Program Files\AdmPwd\Svc\
Right click on CryptoKeyStorage folder and select Properties
On Security tab click Advanced
On Auditing tab select Continue
Click Add
Click Select Principal
Type Everyone and accept
Select Success from Type drop-down list, make sure that Applies to is set to This Folder, subfolders
and files, select Full control in Basic Permissions section and approve all changes
Open CryptoKeyStorage folder
Open Event Viewer, navigate to the Security log, confirm that events was created
Note: Events will be recorded at any access to the folder, subfolder and files, including events
generated e.g. by the backup software and PDS service itself – PDS service account (NETWORK
SERVICE as default) has read/write access to the folder to maintain key pairs and reads the files at
every password query.
Note: Setup grants Full control permission CryptoKeyStorage folder to SYSTEM, NETWORK SERVICE
and Administrators only. Permission inheritance is disabled Manually modify permissions on folder
in cases where additional security principals are required to access the folder.
4.4
Multi-Forest Support
The Password Decryption Service (PDS) servers in multi-forest deployments should be placed in the
forest and domain that contains that contains the user accounts. If users are located in multiple
domains/forests, then place the PDS in the domain/forest that contains the largest number of users.
The PDS creates its SRV record automatically in the domain where it is located. If domain names
specified in PDS configuration file, PDS creates SRV records in all specified domain (provided that
PDS service account has permission to create DNS record in each of the domains). Each created
record looks like this (record parameters specified in PDS configuration file as well):
It is also supported to create SRV records in DNS manually as static records:
5
Group Policy
Group Policy is used to enable the local admin password solution and to configure various settings.
For GPO maintenance, ADMX template needs to be installed on machine on which Group Policy
Management Console (GPMC) is running.
Important: In environments where Central Group Policy store is used, solution ADMX template
needs to be present in Central GPO store instead of on local machine with GPMC.
When properly configured, a new folder “LAPS Enterprise” shows itself in the GPO editor under
Computer policy:
5.1
Enable Local Admin Password Solution
To start managing computers enable the password management setting and link the policy to the
OU you want to manage.
This setting associates client side GPO extension with GPO and allows CSE to perform local admin
account management tasks.
5.2
Changing the Group Policy Settings
By default this solution generates random password with maximum password complexity, 12
characters long and changes the password every 30 days. You can change the values to suit your
needs by editing a Group Policy. These settings are located in under Computer
Configuration\Administrative Templates\LAPS Enterprise\Managed clients.
You can change the individual password settings to fits your needs.
Note: Password settings in GPO must follow domain Password Policy, else OS will block password
changes to too simple passwords which do not meet requirements of that policy. Else password
complexity requirement for local accounts can be adjusted accordingly.
If you have created custom local admin account on managed machines, you will want to configure
its name in Group Policy.
Note: DO NOT configure when you use the built-in admin account, even if you renamed it. That
account is auto-detected by well-known SID. DO configure when you use a custom local admin
account.
Protection against manual changes of passwords for the managed account is enabled by default. If
anyone manually changes the password, this change is detected during the next GPO refresh and a
password change is immediately enforced.
Enabling this setting prevents setting a password expiration that is longer than specified in the
Password Settings.
Password History is not maintained by default. To enable Password History, enable this policy.
Enable this policy store the password encrypted and specify the Encryption key. (Please see the
section 4.1 for details on generating the key)
5.2.1
Multi-forest Support
To define lists of Active Directory forests supported by the administrative tools enable the policy and
list the forests.
6
6.1
Managing Clients
Viewing password settings in Active Directory Users and Computers
Once everything is configured, and Group Policy has refreshed on the clients, you can look at the
properties of the computer object and see the new settings. The password can be stored encrypted
or unencrypted. Encrypted passwords contain a keyID prefix.
Ex: Unencrypted Password
Ex: Encrypted Password
The Expiration time is stored as the number of 100-nanosecond intervals that have elapsed since the
0 hour on January 1, 1601 until the date/time that is being stored. The time is always stored in
Greenwich Mean Time (GMT) in the Active Directory. If you want to manually convert it use this
command:
w32tm /ntte <number you want to convert>
What happens if a user who hasn’t been granted rights to see the local Administrators password
tries to access it? If they were to gain access to the GUI interface the password won’t be displayed.
If they have installed the RSAT tools and run Active Directory Users and Computers (ADUC) to view
the password it will show as <not set>.
This information is not seen because only the Decryption Service can read the password.
Membership in the Password Readers group tells the service that it is allowed to reveal the
password to the user.
6.2
Fat Client
There is a graphical interface available (Fat Client) that can be installed standalone, in a network
share or as an add-in to Active Directory Users and Computers.
6.2.1
Standalone Installation
When you install the program on a computer where you want the ability to easily retrieve the
password just select the Fat client UI option.
The program you want to run is C:\Program Files\AdmPwd\ AdmPwd.UI.exe. It will be in the menu
and looks like this:
Or this on Windows 7.
Launch the interface, enter the client name and click Search.
6.2.2
Fat Client Network Installation
The Fat Client supports running from network shares. To do so, copy all the files contained in the
install folder (without subfolders) to a network share.
Users can then run UI from network share without the need to install UI on their machines.
Note: UI running from network share caches itself completely in %TEMP% folder and updates the
cached copy of files every time it finds that network copy is updated
6.2.3
Fat Client Active Directory Users & Computers Integration
To be able to launch the Fat Client from Active Directory Users and Computers, you need to install
the Fat Client on one machine and copy the following files to a network share with high availability.
%ProgramFiles%\AdmPwd files: AdmPwd.ServiceUtils.dll, AdmPwd.UI.exe, AdmPwd.Utils.config,
and AdmPwd.Utils.dll
In this example the files were copied to the NETLOGON share in SYSVOL.
Open ADSIEdit.msc as a Schema Admin and choose Connect To…
Choose Select well know Naming Context and pick Configuration.
Navigate to: CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=<domain>,DC=<domainsuffix>
Note: When you run different display language that English US, locate container that contains
display specifiers your language
Right click on CN=computer-Display and select Properties.
Choose the adminContextMenu attribute and double click to edit it.
Type the following string modifying the position number and network location:
<position>,LocalAdmin…,<network_location_of_FatClientUI>\AdmPwd.UI.exe
And click Add.
Example:
2,AdmPwd...,\\contoso.com\SYSVOL\contoso.com\scripts\AdmPwd\AdmPwd.UI.exe
Note: Depending on your environment your position number may vary.
Verify that the position is added and click OK.
After completing the above steps you should verify that the Active Directory console has an
additional context menu for a computer object.
Selecting the new menu option should now open the Fat Client from the network share.
Note: You may receive a warning the first time you launch the Fat Client from a Network Share.
To resolve this issue, add file://*.<domain>.<domainextension> to the Local Intranet zone in
Internet Explorer.
In this example we used:
file://*.contoso.com
6.3
Retrieving passwords with PowerShell
You can also get the password using PowerShell. You may need to run Import-module AdmPwd.PS if
this is a new window.
Get-AdmPwdPassword -ComputerName <computername>
Get-AdmPwdPassword -ComputerName <computername> -IncludeHistory | select expand PasswordHistory
6.4
Password Maintenance
6.4.1
Resetting the Password
To manually reset the password click the Set button. Password reset request can be either
immediate (click Set with the current date and time) or planned (put desired expiration time into
New expiration time field). Password will be reset during next GPO update after expiration time
expires on respective computer.
You can also reset the password using PowerShell.
Reset-AdmPwdPassword -ComputerName <computername> [-WhenEffective <date
time>]
Note: If [-WhenEffective <date time>] parameter is missing, then password reset is effective
from now.
6.4.2
Managing Password History
Managing the number of passwords that will be stored in Active Directory is done using PowerShell.
Passwords can be limited by date or total number of stored passwords.
It is responsibility of AD administrator to maintain password history and decide to delete passwords
that are no longer needed. Solution itself never deletes any passwords.
Note: Person performing this operation needs to have read/write permission on password history
AD attribute. This operation interacts directly with AD – it isn’t routed via PDS
To keep the last (x) number of passwords:
Update-AdmPwdPasswordHistory -ComputerName:<ComputerName> -KeepLast:10
To keep all the passwords newer than a specific date:
Update-AdmPwdPasswordHistory -ComputerName:<ComputerName> -KeepNewerThan:<Date>
Note: A wildcard character can be used in place of <ComputerName>.
6.5
Web Portal
Reading and resetting of the local Administrator password and also the management of decryption
keys can be done through the optional Web portal. The Web portal makes calls into PDS for its
operation and uses Kerberos Constrained Delegation (KCD) for passing the caller’s identity into PDS
for proper authorization of requests.
6.5.1
IIS prerequisites
Generally, Web portal relies on the following components if IIS:
Windows authentication
ASP.NET
.NET Extensibility
.NET Framework 4 of newer
Print screens below show required components from IIS running on Windows 2012 R2.
6.5.2
Kerberos Constrained Delegation configuration
A separate Domain account is needed for the Application Pool for Web Portal. Once the account is
created, SPN for http service will need to be registered so the account can be configured as Trusted
for Delegation.
To register SPNs for the AppPool account use the following syntax:
setspn -S SPN accountname
Example:
setspn -S HTTP/websitename.contoso.com LAPS_IIS
setspn -S http/websitename LAPS_IIS
Note: The same website name must be used in the next steps: issuing a certificate, creating and
configuring WebPortal website on IIS server(s) and adding A record(s) of website to DNS.
Set "Trusted this user for delegation to specific services only (Kerberos only)” for the account
created, and specify service HOST/<PDS machine name> (or multiple HOST/<PDS machine names> if
more than one PDS server is installed).
Important: Above setup is for PDS running under NETWORK SERVICE account. When running PDS
under domain account, custom SPN “Svc/AdmPwd” needs to be registered with PDS service account
and delegation needs to be configured to delegate to this SPN. For details, see Technical
specification document.
6.5.3
Web Portal installation
For Web Portal installation, copy the files for the AdmPwdPortal to a local directory.
Issue a certificate for the web site name (FQDN and short name) for HTTPS connections. The website
certificate should have following properties (e.g. LAPSWEB and LAPSWEB.contoso.com):
Subject Alternative Name:
•
•
DNS=NETBIOS Name of the web site name
DNS=FQDN of the web site name
For more information about requesting a certificate:
How to Request a Certificate With a Custom Subject Alternative Name
http://technet.microsoft.com/en-us/library/ff625722(v=WS.10).aspx
6.5.4
Creating the WebPortal website
The following sections describe how to use the Appcmd.exe tool to create and configure the
WebPortal for LAPS. This assumes a dedicated IIS server with no other websites running on it. All
commands are a single line and are broken into multiple lines below for readability only.
Add New Website
appcmd add site /name:"websitename" /id:2 /physicalPath:"filepath"
/bindings:"https/*:443:netbiosname,https/*:443:fqdn"
Create App Pool
appcmd add apppool /name:poolname /managedRuntimeVersion:v4.0
/managedPipelineMode:Integrated
Make AppPool use dedicated AppPool account created above
appcmd set config /section:applicationPools
/[name='poolname'].processModel.identityType:SpecificUser
/[name='poolname'].processModel.userName:contoso\apppoolaccount
/[name='poolname'].processModel.password:<password, same as set earlier for the account
of the AppPool for the Web Portal
Change App Pool of Website
appcmd set site /site.name:websitename /[path='/'].applicationPool:apppoolname
Change behaviour of IIS to use SPN registered with application pool identity instead of SPN
registered with computer account:
appcmd.exe set config section:system.webServer/security/authentication/windowsAuthentication useAppPoolCredentials:true
Disable Anonymous authentication:
appcmd set config "websitename" /section:anonymousAuthentication /enabled:false
-commitpath:apphost
Enable Windows authentication:
appcmd set config "websitename" /section:windowsAuthentication /enabled:true
-commitpath:apphost
Assign a certificate to the website for HTTP over SSL
This will use the certificate created above. We need to find the Thumbprint of the certificate and
assign it to the IUP:Port of the IIS Binding. This can be done in PowerShell. For a deeper look into
how this works:
http://www.iis.net/learn/manage/powershell/powershell-snap-in-configuring-ssl-with-the-iispowershell-snap-in
dir cert:\localmachine\my
Import-Module WebAdministration
Set-Location IIS:\
cd SslBindings
get-item cert:\LocalMachine\MY\certificatethumbprint | new-item 0.0.0.0!443
Add A records of website to DNS
dnscmd dnsserver /RecordAdd zonename websitename A IPaddress_of_IIS
Round robin load balancing mechanism can be used for IIS High Availability. After deploying
additional IIS server(s) additional A record(s) with the same websitename needs to be created in
DNS.
6.5.5
Modifying the WebPortal Webpage
The webportal is ASP.NET webforms based and is fully flexible in terms of the graphics and style.
Updating any part of the HTML and CSS can easily be done. The files you can modify are:
Site.master – master page with logo placeholder, css link and favicon.ico
Default.aspx – only aspx page in the project – slightly modified default ASP.NET design
template
Controls folder - contains 3 ascx controls for user details, key management and recovery
part. Fully editable in terms of design
Styles folder - one CSS file with all the colors, fonts, etc.
An example of changing the company logo and company name is shown below.
Original Webpage:
Original Site.master:
Updated Webpage:
Updated Site.master:
7
Auditing
Auditing for users who query for the local administrator password of a computer can be
accomplished by reviewing the LAPS Service Event log located under Applications and Services Logs.
8
Troubleshooting
This solution generates a variety of logging options for troubleshooting purposes.
8.1
Event Logging and Auditing
8.1.1
Client Logging
The CSE logs all events in the Application Event Log of local computer. Log messages are English
only, but can be localized or additional language can be added, if necessary.
The amount of events that are logged is configurable via the following registry REG_DWORD value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D087DE603E3EA}}\ExtensionDebugLevel
This value is not there by default and must be added.
Possible values are as follows:
Value
Meaning
0
Silent mode; log errors only
When no error occurs, no information is logged about CSE activity
This is a default value
1
Log Errors and warnings
2
Verbose mode, log everything
8.1.2
Client Event IDs
The Event source for all events reported by CSE is always “AdmPwd”. Events are written into
Application event log. The following table summarizes the events that can occur in the Application
Event Log:
ID
Severity
Description
Comment
2
Error
Could not get computer object
from AD. Error %1
This event is logged in case that CSE is not able to
connect to computer account for local computer in AD.
%1 is a placeholder for error code returned by function
that retrieves local computer name, and converts it to
DN
3
Error
Could not get local Administrator
account. Error %1
This event is logged in case that CSE is not able to
connect to built-in Administrator account.
%1 is a placeholder to error code returned by function
that detects the name of local administrator’s account
4
Error
Could not get password expiration This event is logged in case that CSE is not able to read
timestamp from computer
the value of ms-MCS-AdmPwdExpirationTime of
account in AD. Error %1.
computer account in AD
%1 is a placeholder for error code returned by function
that reads the value of the attribute and converts the
value to unsigned __int64 type
6
Error
Could not create new password.
Error %1.
This event is logged when CSE for any reason (typically
because of failure to initialize/use random number
generator) cannot create new password for local
admin account
7
8
Error
Error
Could not encrypt password.
Error %1.
This event is logged in any of the following situations:
-
CSE cannot locate public key in registry
Public key blob stored in GPO is invalid
RSA CSP is not able to encrypt the password
Could not write changed password This event is logged in case that CSE is not able to
to AD. Error %1.
report new password and timestamp to AD.
%1 is a placeholder for error code returned by LDAP
search request
9
10
11
12
Error
Warning
Warning
Error
Could not reset local
Administrator's password.
Error %1
This event is logged in case that CSE is not able to reset
the password of built-in Administrator account.
Password expiration too long for
computer (%1 days, %2 hours).
Resetting password now.
This event is logged in case that CSE detects that
password expiration for computer is longer than
allowed by policy in place while protection against
excessive password age is turned on
%1 is a placeholder for error returned by
NetUserSetInfo API call
Password was manipulated with This event is logged when CSE detect that password of
since last check (%1 seconds after managed local administrator account was changed
regular password change).
manually.
Resetting password now.
Could not check if password is in
sync with AD. Error %1.
This error is logged when CSE is not able to detect
password age of managed local administrator account.
%1 is placeholder for error returned by
NetUserGetInfo() API call
1
Information Beginning processing
CSE signalizes it was called by GPO framework
2
Information It is not necessary to change
This event is logged after CSE detects that it is not yet
password yet. Days to change: %1. the time to reset the password
%1 is a placeholder for number of 24-hour’s intervals
that remain till the password will be reset
7
Information Local Administrator's password
has been successfully encrypted.
This event is logged when password is successfully
encrypted
8
Information Local Administrator's password
has been reported to AD.
This event is logged after CSE reports the password and
timestamp to AD
9
Information Local Administrator's password
has been changed.
This event is logged after CSE resets the password of
built-in Administrator account
11
Information Admin password was not
manipulated with (%1)
This event is logged when CSE detects that password of
managed local administrator account was not
manipulated with. %1 is placeholder for difference
between expected and real password age, in seconds.
Accepted difference is up to 3 seconds
100 Information Finished successfully
This event is logged after CSE performed all required
tasks and is about to finish
101 Information Admin account management not
enabled, exiting
This event is logged when admin account management
is not enabled and CSE is not allowed to work
Note: Generally, all events with severity “Error” are blocking. When any error occurs, no other tasks
are performed and CSE terminates processing.
8.1.3
LAPS Service Logging
The Password Decryption Service (PDS) logs its activity into a dedicated Windows Event log:
Application and Service logs\LAPS Password Decryption Service.
Events logged by PDS fall into 2 categories:
-
Operational
-
Audit
Operational
ID
Severity
Description
Comment
100 Success
Service started
101 Success
Service stopped
102 Success
Autodiscover record updated
Logged every time PDS successfully updates its DNS
SRV record
102 Error
Failed to update Autodiscover
record.
Logged in case that PDS fails to update its DNS SRV
record.
Error: %1
Contains error data from lowlevel DNS API
Autodiscover record removed
Logged when PDS removes its DNS SRV record.
103 Success
Only happens when SrvRecordUnregisterOnShutdown
parameter is set to TRUE
103 Error
Failed to remove Autodiscover
record.
Logged in case that PDS fails to remove its DNS SRV
record
Error: %1
104 Information
Registering autodiscover SRV
record with following:
Domain: %1
Logged before registration of DNS SRV record. Shows
parameters of SRV record being registered.
Host: %2
Port: %3
Priority: %4
Weight: %5
TTL: %6
105 Warning
Expiration time exists but password Logged in case that service detects that response for
empty. This typically happens when local admin password retrieval contains timestamp of
service does not have properly
password expiration, but not a password itself.
configured permissions in AD.
This is to notify administrator of solution that PDS may
Please verify configuration and if
not have enough permissions to read password from
needed, fix permissions via SetAD
AdmPwdServiceAccountPermission
cmdlet.
Computer: %1
User: %2
106 Success
Key pair loaded
Logged when PDS loads key pair
Id: %1
106 Warning
Public key not found for private
key. Server will still be able to
decrypt passwords encrypted by
public key, however you should
consider key replacement.
Logged when PDS finds private key without
corresponding public key in key store
Id: %1
107 Warning
File based keystore does not exist.
No keys will be loaded.
Logged when configuration of PDS points to nonexisting folder for file system based keystore
Keystore folder: %1
108 Error
Error during Autodiscover
registration/unregistration.
Error: %1
Logged when PDS fails to register or unregister SRV
record due to invalid configuration (such as when TTL
of record in config file is not a number)
Audit
ID
Severity
Description
Comment
1000 Informational Admin password retrieved.
Forest: %1
Computer: %2
User: %3
1000 Warning
Failed to retrieve admin password. Including scenario when user requesting the password
retrieval does not have permission granted
Forest: %1
Computer: %2
User: %3
Error: %4
1001 Informational Admin password reset.
Forest: %1
Computer: %2
User: %3
Expiration time: %4
1001 Warning
Failed to reset admin password.
Forest: %1
Expiration time contains expiration time specified by
user in request. For immediate expiration, current time
is sent.
Including scenario when user requesting the password
reset does not have permission granted
ID
Severity
Description
Comment
Computer: %2
User: %3
Error: %4
1002 Informational Key pair generated.
KeyID: %2
User: %1
1002 Warning
Failed to generate key pair.
User: %1
Error: %2
Including scenario when user requesting key pair
generation is not member of Key Admin role
8.2
Problem Scenarios
Symptom: Client gets Event ID 7, “Could not encrypt password. Error 0x8007000d.” in the Event log.
Solution: This event is logged in any of the following situations:
CSE cannot locate public key in registry
Public key blob stored in GPO is invalid
RSA CSP is not able to encrypt the password
Review section 3.1 Keypairs for more information.
Symptom: Password is not displayed after clicking Search even though the password expiration may
be shown.
Solution: The machine(s) that were added to the Password decryption group weren’t rebooted after
being added or the person viewing this hasn’t been added to the Readers group.
Symptom: After running the Schema update, the new attributes aren’t showing in the computer
properties.
Solution: If the status of the Schema update was successful you may be experiencing replication
issues or latency. In larger environments this attribute population may take some time to
propagate.
Symptom: When trying to retrieve the password of a managed computer you receive the error
“None of the discovered services seems to be reachable”.
Solution: Make sure that the machines that are running the Password Decryption Service are
running and reachable and that the SRV record is in DNS. There should be a separate record for each
Password Decryption Server.
Also, this can be symptom of mismatched SPN in PDS and management computers configuration in
scenario when PDS is running under domain account.
