How can secure Local Administrator Accounts

Local Administrator passwords of Workstations is security risk. The reason is that most of the times all the Workstations has the same password or sometimes they don't give any attentions . Windows Server 2008 and older Server version can use GPO to update Passwords of Local Administrators in Workstations.

But in May 2014 the cpassword removed with the MS14-025 update. Cpassword was the name of the attribute that store passwords in Group Policy item. The problem was that  the password is not stored securely enough and can be easily decrypted by any authenticated user in the domain.

After the MS14-025 update If you try to create a GPO  you will see that can't update password of Administrator.

So this create a big problem because IT Pro can't manage Local Administrator Passwords of Workstations.

Microsoft release the Local Administrator Password Management (LAPM) that can give you a way to manage the Local Administrator Passwords of Workstations.

Let's start to explain step by step how can use it.


Install LAPM Application

There are two parts of installations. 

  1. In the Clients
  2. In the Management Computer or with simple words in the Server which setup the Group Policy


Setup LAPM in the Client Workstation

  • Tick the I agree ...... and click Next.

  • Leave the default options and click Next

  • Wait to finish and click finish.
  • To verify the installation go in Control Panel - - > Program and Features and you will see the Local Administrator Password Solution.


Setup LAPM in the Management Computer

  • Tick the I agree ...... and click Next.

  • Click in the AdminPwd GPO Extensions and select Entire feature will be unavailable.
  • Click in management Tools and select Entire features will be install on local hard drive and click Next

  • Wait to finish and click finish.
  • To verify the installation go in Control Panel - - > Program and Features and you will see the Local Administrator Password Solution.


Use GPO to install Application

If you work in Company with lot of users then you can automate the installation and use Group Policy to Deploy the Local Administrator Password Management Tool

  • Create a share folder in the network and give access in the users and computer objects that you want to deploy the LAPM  in Security and Share Permissions.
  • If you don't give access in users and computer object the will get errors with event id 108 and 1112 in Event Logs
  • Copy the msi file of LAPM in the share folder.
  • Open Group Policy Management
  • Expand Computer Configuration\Policies\Software Settings
  • Right click and select New Package.

  • Find the msi file in the appropriate folder.Click Open
  • Select Assigned and click OK.

  • From the right side you will see the Application 

  • Assign the Group Policy in the appropriate OU and Users or Groups.
  • Login in one Client Workstation and run gpupdate /force.
  • After restart the Workstation go in Program and Features to verify that the Application installed.


Active Directory Preparation

After installation complete in client and management computer we must extend the AD Schema with 2 new attributes.

The new attributes are:

  1. ms-Mcs-AdmPwd – Stores the password in clear text
  2. ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password.

To update the schema follow the steps.

  1. First must import the Powershell Module AdmPwd.PS
  2. Open the Powershell as Administrator and type the command
    Import-module AdmPwd.PS
  3. Now must update the schema. Type the command


Create GPO for Update Password 

Now it's time to create a new GPO that will be update password of the Local Administrators in Workstations and why not in Servers

  • Open Group Policy Management 
  • Expand Computer Configuration\Policies\Administrative Templates\LAPS
  • From the right side click in Password Settings.

  • Select Enable and configure the Password Complexity base on your Company Policy.

  • Click OK.
  • Assign the GPO in the appropriate OU.


Verify that GPO works 

We have finish and have set the Local Administrator Passwords of Workstations with the Complexity that wants. But how can verify that Group Policy works without problems?

  • Login in one of Workstations that has apply the GPO
  • Open cmd and type gpupdate /force to apply the new GPO.
  • Now login in Domain Controller and open the Active Directory or use Remote Server Administrator Tools(RSAT). If you want to enable it read the Enable Active Directory Remote Administration Tools.
  • Open the Properties of the Computer Object and click in Tab Attribute Editor.
  • Find the attributes ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.
  • In the ms-Mcs-AdmPwd you will find the Password of the Local Administrator for the specific Workstation and in ms-Mcs-AdmPwdExpirationTime you will see when expired.

That's it. We finished.

 As i have seen in many companies Passwords never updated of Local Administrators and the most important the same password exist for all Workstations. This create a security hole that can be compromised and use it against you.

I hope to find interesting my article.

Have a nice weekend.

Don't forget to share your issues or experience that has with LAPM in our commented system. You will help other IT Pro and help you too. 

If you would like to contact with me send me an email in or drop me a note in twitter or Google+ .


Disqus Comments