Identifying if LAPS is Installed on a Computer
Hello All,
Hope this post finds you in good health and spirit.
This post is regarding how we can Identifying if LAPS is Installed on a Computer.
Identifying if LAPS is Installed on a Computer
The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. When the LAPS client is installed, the Group Policy Client Side Extension (CSE) is configured on the computer. This is a DLL (admpwd.dll) located in c:\program files\LAPS\CSE and its configured in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions.
We can check for this DLL by using PowerShell
Get-ChildItem ‘c:\program files\LAPS\CSE\Admpwd.dll’
Using PowerShell v5, we can check the file hash & hashing algorithm on the DLL:
Get-FileHash ‘c:\program files\LAPS\CSE\Admpwd.dll’
Using PowerShell v5, we can check the digital signature on the DLL:
ms-mcs-AdmPwd
Microsoft’s LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. LAPS stores the password for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object.LAPS helps to reduce the workload and help local administrator or desktop team to manage local administrator password in active directory for a number of machines.
ms-mcs-AdmPwd – Its confidential computer attribute that stores the clear-text LAPS password.
It can only be viewed by Domain Admins by default, other ones can not view the respective object password and unlike other attributes, is not accessible by Authenticated Users. This value is blank until the LAPS password is changed.
For this security reason, delegation of the ms-mcs-AdmPwd attribute has to be carefully planned and performed and also do not replicate this attribute to RODC domain controller. Please see this article to exclude the confidential attribute from RODC replication.
ms-Mcs-AdmPwdExpirationTime
ms-Mcs-AdmPwdExpirationTime – This attribute stores the password expiration time.
This value is blank until the LAPS password is changed. When the LAPS password is changed, the value in this attribute automatically updated based on the LAPS password change threshold which is configured in the LAPS Group policy.
So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!
Recommended contents
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
Netlogon Folder in Active Directory
Custom Attributes in Active Directory
Tombstone Lifetime of My Active Directory Forest
How to Determine a Computers AD Site From the Command Line
Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.