LAPS – the Local Administrator Password Solution

LAPS – the Local Administrator Password Solution – is a Microsoft framework that allows system administrators to remove shared local administrator passwords from their estate and replace them with a randomly assigned complex password that is stored on a per-machine basis in two new Active Directory attributes.

These attributes store the password and the password expiry date.

When LAPS is installed, a client component is added that allows the domain controller to manage client passwords. A simple UI tool which queries the AD attributes is also available. It’s output typically looks like this

Normally the password expiry is one month out from its creation, so each month the password will change.

Product Pack notes:

Tachyon complements LAPS nicely by providing a workflow for accessing devices using LAPS credentials.

The product pack contains a single action, which is associated with a task, so that it can be invoked directly from the UI.

The action is

LAPS: Request access to device  using local account  for user  currently logged on to 

 

An example would be

Request access to device WKSSC001 using local account administrator for user urth\joe.smith currently logged onto WKSSV001

 

What this means is that:-

  • The user urth\joe.smith would like to log on to the device WKSSC001 using the LAPS local administrator password (for the local administrator account).
  • He is currently logged on to a device WKSSV001, which may or may not be the device from which he is launching the Tachyon action.
  • Joe possesses a privileged account (urth\joe.smith.admin) that he uses ONLY for retrieving LAPS passwords. He is not logged on currently as this account.
  • Tachyon will enforce workflow so that someone (let’s say, Bill, Joe’s boss) will approve Joe’s request.

You must log in to submit a review.