Deploying Microsoft LAPS – Non-Persistent VDI

Deploying Microsoft LAPS to a non-persistent VDI environment
requires a slightly difference approach to traditional machines,
especially for those environments that force a reboot after user log off
(e.g. Citrix XenDesktop using PVS).

Issue

  1. Computer Boots up for the first time after LAPS installation and GPO configuration
  2. LAPS CSE views ms-Mcs-AdmPwdExpirationTime when Group Policy is
    refreshed which will read 0 as a password has never been set for given
    computer
  3. New password is set on the Computer, written to Active Directory and
    the ms-Mcs-AdmPwdExpirationTime attribute is updated giving an expiry
    date for the password (as per the Group Policy “password age (days)”
    setting)
  4. Computer is restarted and boots the golden image
  5. LAPS CSE views ms-Mcs-AdmPwdExpirationTime when Group Policy is
    refreshed, the value is now populated with an expiry time for the
    password set in step 2
  6. Computer does not update password
  7. LAPS is not functional

Fix

Originally I looked at clearing the ms-Mcs-AdmPwdExpirationTime attribute on shutdown with VBS.

1
2
3
4
5
6
Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
' Change ms-Mcs-AdmPwdExpirationTime attribute to 0
objComputer.Put "ms-Mcs-AdmPwdExpirationTime", "0"
' Write change to AD
objComputer.SetInfo

This can also be accomplished with PowerShell but requires you
install the Remote Server Administration Tools which wasn’t desirable.
Running the script on shutdown was unsuccessful, due to an issue with
how Citrix Delivery Controllers manage the shutdown process of the
virtual desktops, essentially preventing the script from running. More
information here: Logoff Script is terminated early on XenDesktop.  This may not be an issue for you if you are using another VDI solution.

After trying a few other methods, the following has proven to be
reliable. The VBS script sets the ms-Mcs-AdmPwdExpirationTime attribute
to 0, waits 3 minutes and then runs GPUpdate to trigger a password
update. The 3 minute pause is insurance that the
ms-Mcs-AdmPwdExpirationTime change has been replicated to other DCs
within the same site. With this method you are essentially setting a new
password and expiry date at every startup, maybe Microsoft will add
this as a feature in a future release of LAPS.

Add this to a startup script either in Group Policy or locally on the
golden image with gpedit.msc and enjoy LAPS within your VDI
environment!

LAPSVDI.vbs

1
2
3
4
5
6
7
8
9
10
11
12
13
Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
' Change ms-Mcs-AdmPwdExpirationTime attribute to 0
objComputer.Put "ms-Mcs-AdmPwdExpirationTime", "0"
' Write change to AD
objComputer.SetInfo
' Sleep 3 minutes
WScript.Sleep(180000)
Set WshShell = CreateObject("Wscript.Shell")
' Run GPUpdate force and target only the computer policies
Result = WshShell.Run("cmd /c echo n | gpupdate /target:computer /force",0,true)
' Exit with code
Wscript.Quit(Result)

Download LAPS

https://www.microsoft.com/en-us/download/details.aspx?id=46899

Deploying Microsoft LAPS – Part 1

What is LAPS?

A lot of organisations will use the same local administrator password
across all machines, which is a bad idea for a number of reasons. At a
basic level, if this password is learnt, it allows anyone to install
software as an administrator – at a higher level it facilitates things
such as pass the hash, mimikatz and general reconnaissance against your
machines (usually with the goal of elevating to Domain Admin).

If you currently deploy your Local Administrator Account via Group
Policy Preferences, this makes things even easier for an attacker to obtain the shared local administrator password. The CPASSWORD value is easily searchable against SYSVOL and Microsoft provide the 32-byte AES key which can be used to decrypt the CPASSWORD. Alan has a great post here why you should stop using Group Policy Preferences for deploying Local Administrators.

So what can we do?

LAPS – Local Administrator Password Solution! This
is Microsoft’s solution to managing Local Administrator account
passwords across an organisation. LAPS solution features include:

• Sets a unique randomly generated password PER machine
• Automatically change the Local Administrator Password every x days
• Stores Local Administrator Passwords as an attribute of the Computer Object in Active Directory
• Password is protected in AD by AD ACL, so granular security model can be easily implemented
• Password is protected during the transport via Kerberos encryption

Deployment Steps

  1. Installs LAPS onto management machine
  2. Extend Schema and prepare Active Directory
  3. Deploying LAPS client to those machines you wish to manage
  4. Configure Group Policy to enable and set the relevant policies

This post will cover steps 1, 2 and 3.

Management Machine

First off, we’re going to install the management portion of LAPS. Download LAPS here
and next, next through the installation. On the custom setting page
choose all of the management tools. The AdmPwd GPO Extension is required
if the machine you’re installing the management portion on will also be
managed by LAPS.

Deploying Microsoft LAPS – Part 2

We recently covered preparing Active Directory and deploying the LAPS CSE/Client to the machines you wish to manage in part 1 of deploying Microsoft LAPS. Part 2 covers “Turning on” LAPS via Group Policy, the LAPS process and how it works once deployed.

Group Policy

On your LAPS management machine, head to
C:\Windows\PolicyDefinitions, there you will find AdmPwd.admx and
AdmPwd.adml (under en-US). Copy these files into your Group Policy
Central Store, if you do not have a Central Store (and do not which to
create one) you can launch Group Policy Management Console directly from
your management machine, or copy the ADMX/ADML to a Domain Controller
where you will be editing the policy.

LAPS2-1

Create a new GPO and navigate to Computer configuration -> Policies -> Administrative Templates -> LAPS

LAPS2-2

Password Settings
This is where you’ll choose your password policy. The default is complex
passwords, 14 chars and a password age of 30 days (machines will
automatically change their password when this is met).