LAPS

  • 281 Views
  • Last Post 18 May 2017
kitaab posted this 02 March 2017

We have added LAPS and now all local admin password are accessible in AD.

The GPO Sets the password every 2 days.

 

however we have a situation whenere in sometime a VM is to be restored form backup for lets say a week ago. Since the VM is restored as a workgroup machine the only account we can login as is the locla admin account, however because Laps resets the password every 2 days we actually do not have the correct password for the restored VM.

How can we have the history of password in LAPS 

or how do you guys manage such situations.

Order By: Standard | Newest | Votes
PARRIS posted this 02 March 2017

We put the LAPS information into a SQL DB, this covers your scenario, plus deleted machine accounts.

 

 

Regards,

 

Mark Parris

 

Cloud | Identity | Security

 

MVP Enterprise Mobility | MCM Directory Services

Mobile:

+44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx


Twitter

| Blog

| LinkedIn

| Skype

 

show

kitaab posted this 02 March 2017

do you mean adding LAPS Information in AD  + SQL How do you do that 


show

kurtbuff posted this 02 March 2017

The script below is simplistic (nothing so fancy as a SQL database, just a CSV file), but it works for me, and I take the opportunity to gather some other info as well, as you can see. LastLogonDate and LastLogonTimeStamp are somewhat redundant, but I wrote this mostly as an exercise in timestamp format manipulation.
We expire passwords much more slowly - every 30 days.
get-adcomputer -filter * -properties operatingsystem, ms-mcs-admpwd, ms-mcs-admpwdexpirationtime, LastLogonDate, LastLogontimeStamp | select name, operatingsystem, ms-mcs-admpwd, (@{Name="PasswordExpirationDate"; Expression={[DateTime]::FromFileTime($."ms-mcs-admpwdexpirationtime").ToString("u")}}), (@{Name="LastLogonDate"; Expression={$.LastLogonDate.ToString("u")}}), (@{Name="LastLogon"; Expression={[DateTime]::FromFileTime($_.LastLogonTimeStamp).ToString("u")}}) | sort operatingsystem, lastlogon | export-csv -notype \example.com\us\infrastructureTeam\laps\<yyyy-mm-dd>-passwords.csv
Kurt


show

Icolan posted this 14 May 2017

@MArk Parris, How did you configure LAPS to also store passwords in SQL?


show

patrickg posted this 17 May 2017

Simple script can periodically scrap the values from AD and dump a copy of them in a SQL database.

 


~Patrick

 

show

jeremy.stump posted this 17 May 2017

Do you have the script minus any of your system names? 



Sent from Jeremy Stump's iPhone









Jeremy Stump


(901) 227-8205






On May 17, 2017, at 6:43 AM, Goggins, Patrick <gogginsp@xxxxxxxxxxxxxxxx> wrote:















Simple script can periodically scrap the values from AD and dump a copy of them in a SQL database.

 


~Patrick

 

show

patrickg posted this 17 May 2017

Something like the below, it may need some tuning. I don’t export the information from AD, instead the DC’s get replicated off-site to mitigate the potential need for this type of solution.

Anytime a DC goes south (extremely rare), it is rebuilt from scratch and reseeded.

 

 

$SQLServer = "MySQLBox-1"

$Database = "Somedatabase"

$MyTable = "arandomtable"

 

$myservers = Get-ADComputer -SearchBase "OU=My Server OU Servers,DC=mydomain,DC=org" -Filter "*" -Properties ms-Mcs-AdmPwd | Select-Object Name, ms-Mcs-AdmPwd

 

$myconn = New-Object System.Data.SqlClient.SqlConnection

$myconn.ConnectionString = "Data Source=$SQLSERVER;Initial Catalog=$Database;Integrated Security=SSPI;"

$myconn.Open()

$mycommand = New-Object System.Data.SQLClient.SQLCommand



$mycommand.connection = $myconn

 

foreach($i in $myservers)

  {

$mystring = "INSERT INTO $MyTable (ServerName, AdmPwd) VALUES ('&quot; &#43; $i.name &#43; &quot;', '&quot; &#43; $i.&quot;ms-Mcs-AdmPwd&quot; &#43; &quot;')"

$mycommand.CommandText = $mystring

$mycommand.ExecuteNonQuery()

sleep 0.1

  }

$myconn.Close()

 



 

 

~Patrick

 

show

jeremyts posted this 17 May 2017

I love this idea…and I love LAPS.

 

You could extend this to have 4 or 5 columns against a computer object, do a comparison, and if the password is new, place it in a new column, etc. If the columns

are full, drop the first and reorder. That way you’re not adding multiple rows for a record (computer) and you’ve always got the last 4 or 5 passwords.

 

Cheers,

Jeremy

 

show

ken posted this 18 May 2017

Creating new rows would be a more normalised design, than having some arbitrary number of columns.



Even better would be to have a table of computer objects, and then another table of passwords, with a foreign key back to the computers table. That

way you’re not duplicating computer records.

 

Storing passwords in multiple columns will make it quite hard to do any sort of aggregation or reporting queries. Storing the stuff in individual

rows does allow that.

 

https://en.wikipedia.org/wiki/Databasenormalization

 

Also, SQL string below appears to be vulnerable to SQL injection.

 

Cheers


Ken

 

show

kurtbuff posted this 18 May 2017

I wrote this as an exercise in time/date manipulation, but it should get the job done for you:
get-adcomputer -filter * -searchbase "ou=Computers-US,dc=example,dc=com" -properties operatingsystem, ms-mcs-admpwd, ms-mcs-admpwdexpirationtime, lastlogondate, LastLogontimeStamp | select name, operatingsystem, ms-mcs-admpwd, (@{Name="PasswordExpirationDate"; Expression={[DateTime]::FromFileTime($."ms-mcs-admpwdexpirationtime").ToString("u")}}), (@{Name="LastLogonDate"; Expression={$.LastLogonDate.ToString("u")}}), (@{Name="LastLogon"; Expression={[DateTime]::FromFileTime($_.LastLogonTimeStamp).ToString("u")}}) | sort operatingsystem, lastlogon | export-csv -notype \example.com\us\infrastructure\laps\%date%-passwords.csv
It just generates a CSV file with a date in the name, so it's pretty simple.I ran it as a scheduled task for a while, but found it not so much needed, because we only force password changes every 30 days.
Kurt


show

jeremyts posted this 18 May 2017

Nice…I’m not a DBA, so that’s great info. I think you’d then want to timestamp your rows though, so that you could do some maintenance tasks, otherwise you

will end up with many records (rows) per computer over its lifetime and depending on how aggressively you set the LAPS policies to.

 

Sure, the INSERT can be written better to sanitise the data first to avoid SQL injection where possible. But that aside, it’s a great example of what can be

achieved.

 

Cheers,

Jeremy

 

show

Close