LAPS – the Local Administrator Password Solution

Scenario

LAPS – the Local Administrator Password Solution – is a Microsoft framework that allows system administrators to remove shared local administrator passwords from their estate and replace them with a randomly assigned complex password that is stored on a per-machine basis in two new Active Directory attributes.

These attributes store the password and the password expiry date.

When LAPS is installed, a client component is added that allows the domain controller to manage client passwords. A simple UI tool which queries the AD attributes is also available. It’s output typically looks like this:

Normally the password expiry is one month out from its creation, so each month the password will change. Tachyon complements LAPS nicely by providing a workflow for accessing devices using LAPS credentials.

The product pack contains a single action, which is associated with a task, so that it can be invoked directly from the UI.

Product Pack notes:

LAPS: Request access to device using local account for user currently logged on to

  • Request access to device WKSSC001 using local account administrator for user urth\joe.smith currently logged onto WKSSV001
    This means that:

    • The user urth\joe.smith would like to log on to the device WKSSC001 using the LAPS local administrator password (for the local administrator account).
    • He is currently logged on to a device WKSSV001, which may or may not be the device from which he is launching the Tachyon action.
    • Joe possesses a privileged account (urth\joe.smith.admin) that he uses ONLY for retrieving LAPS passwords. He is not logged on currently as this account.
    • Tachyon will enforce workflow so that someone (let’s say, Bill, Joe’s boss) will approve Joe’s request.

Reviews

You must log in to submit a review.