Foreword:
We know that after Windows 10 is installed, the default local administrator account Administrator is closed. There is no problem in enabling the local administrator account through group policy . Elevation of Privilege: May 13, 2014 - Following the announcement of the Group Policy vulnerability in Microsoft Support, changing passwords via Group Policy will no longer work.
1. Enable the local administrator account
2. The function of modifying password and confirming password turns gray and cannot be used!
Introduction to LAPS
LAPS allows you to manage local administrator passwords while joined to a domain. These passwords are stored centrally in Active Directory and restricted to authorized users using ACLs.
This function realizes the randomization of the password of the local administrator account of the domain-added client (each computer has a different complex random password), and the randomized password is stored on the AD and can be queried to prevent the attacker from guessing one. Guess what, the transmission process from client to server is protected with Kerberos v5 and AES.
Official download link: Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center
Install
1. Install LAPS.x64 on the domain controller, click Next to install, note that the first item does not need to be installed
By default, only AdmPwd GPO Extension is checked, and the client must be installed, but the server does not need it.
2. After the installation is complete, load the LAPS module through PowerShell to expand the AD architecture
# 导入 LAPS 模块
PS C:\Users\Administrator> Import-Module AdmPwd.PS
# 返回 Success 表示成功
PS C:\Users\Administrator> Update-AdmPwdADSchema
Operation DistinguishedName Status
--------- ----------------- ------
AddSchemaAttribute cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=m... Success
AddSchemaAttribute cn=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=msh,DC=local Success
ModifySchemaClass cn=computer,CN=Schema,CN=Configuration,DC=msh,DC=local Success3. View the architecture of the local domain environment
(1) The two local computers are currently under the Workstation OU
(2) We verify the result of this schema extension by opening ADSI Edit, in the property list we should have two new entries: ms-Mcs-AdmPwd (password in clear text) and ms-Mcs-AdmPwdExpirationTime (when password expires)
(3) Then set the OU permissions so that all computers inside have permission to write passwords
Set-AdmPwdComputerSelfPermission -OrgUnit Workstation(4) You can also use the following command to check which users and groups have permission to view
Find-AdmPwdExtendedRights -Identity "Workstation"
# 默认 Domain Admins 是有权限的
PS C:\Users\Administrator> Find-AdmPwdExtendedRights -Identity "Workstation"
ObjectDN ExtendedRightHolders
-------- --------------------
OU=Workstation,OU=SHA,DC=msh,DC=local {NT AUTHORITY\SYSTEM, MSH\Domain Admins}(5) You can specify which users or groups have permissions
Set-AdmPwdResetPasswordPermission -OrgUnit Workstation -AllowedPrincipals 用户或组4. Create GPOs
Create LAPS under the Workstation OU
(1) Go to Computer Configuration>Policies>Administrative Templates>LAPS
(2) Set local administrator password rules
(3) Enable local administrator password management
(5) Go to Computer Configuration > Policy > Software Settings > Software Installation, and install LAPS for the client. The installation package is downloaded above. Select "Allocated" as the deployment method to allow the client to automatically install when it starts up. The specific process will not be explained in detail here
5. After the client takes effect, we check that it has been successfully installed
6. How to check the password
(1) via PowerShell
# 通过电脑名查看
PS C:\Users\Administrator> Get-AdmPwdPassword -ComputerName lishi-pc
ComputerName DistinguishedName Password ExpirationTimestamp
------------ ----------------- -------- -------------------
LISHI-PC CN=LISHI-PC,OU=Workstation,OU=SHA,DC=msh,D... /Ro}d8q3 6/7/2023 9:57:04 AM(2) Via LAPS UI
