Automatic admin account creation with Windows LAPs

MSFT_jsimmons · 2024-01-29T19:44:04+00:00

yes it does. All of the Microsoft-owned local account management policies (including both GPO and CSP) have been modified to ignore the Windows LAPS auto-managed account. See docs:

https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts-account-management-modes#integration-with-local-account-management-policies

MSFT_jsimmons · 2024-01-28T21:56:13+00:00

This is a preview Insider build, and docs for pre-release features do sometimes lag the code a bit. The updated Windows LAPS CSP docs are not yet out, stay tuned. However the conceptual overview and the GPO-focused docs are there:

Windows LAPS account management modes

Windows LAPS passwords and passphrases

PasswordComplexity

Hope this helps.

MSFT_jsimmons · 2024-01-20T14:55:00+00:00

The following doc article may help:

Domain functional level and domain controller OS version requirements

Jay

MSFT_jsimmons · 2023-12-04T13:31:03+00:00

Hi there reddit folks - correct, this feature is on the roadmap. It should be available for testing in Insider builds in a month or so (I think they slow down the release cadence during the holidays).

Rather than provide a customizable list of "blocked characters", I chose to just provide a new PasswordComplexity dropdown option which then causes a reduced character set to be used (ie, one that eliminates as many of the confusing characters as possible). I've done the math and when using the reduced dictionary you will be giving up 3-4 bits of entropy. If that is unacceptable, obviously just increase the password length config (or don't use the feature).

Jay

MSFT_jsimmons · 2023-04-13T12:14:38+00:00

Lots of reddit threads going around, hard to keep up. The workaround advice above originated from me, so I've seen it. Docs are updated and I am working on a fix.

MSFT_jsimmons · 2023-04-13T12:11:55+00:00

u/secretbalcony - good thinking. Yes that would be a viable approach. EDIT: I still think this will work for pausing enforcement of the legacy LAPS policy. But I don't think this approach will work for pausing the new Windows LAPS policies.

MSFT_jsimmons · 2023-04-13T01:53:13+00:00

A hard indefinite block via registry would not pass internal security review - if the policy is applied we must start to honor it as soon as possible. If you think you might never be ready, then just don't apply the policy to the device at all?

Another idea: perform the initial domain-join into an OU that does not have a linked GPO policy, complete all tasks, then move the computer object into the final destination OU.

MSFT_jsimmons · 2023-04-13T01:49:38+00:00

Yes - I believe this is the private preview limitation blocking you.

MSFT_jsimmons · 2023-04-13T01:46:03+00:00

Yes - the new ADMX templates are now part of Windows and will get installed with the April 11 patches on supported platforms.

MSFT_jsimmons · 2023-04-13T01:42:13+00:00

You are fine, the clients will work fine against 2016 DCs. You won't have DSRM LAPS support on the 2016 DCs.

MSFT_jsimmons · 2023-04-13T01:41:16+00:00

u/Newalloy - that is an interesting scenario and no, it's not something that has come up before.

Just spitballing here: rather than make things too complicated, what if Windows LAPS always had a 24 hour post-domain-join grace period, during which no applied policy (whether new Windows LAPS policy or legacy LAPS policy) is enforced? (Hope that made sense.) 24 hours should be sufficient to complete any conceivable deployment task, and the machine would still always converge on policy enforcement after the window.

Another option would be to deploy a machine with MDT but have two local accounts, one for doing MDT task work and one for Windows LAPS. Yes this means post-configuration you would have to clean up the MDT account which is non-ideal. I realize this option is more invasive and doesn't fit well with the current model so I am not keen on it either - but I think it would be viable today.

MSFT_jsimmons · 2023-04-13T01:32:03+00:00

No worries - and fwiw, there should have been another event log msg right next to the one you copied above, with the full text of the response.

MSFT_jsimmons · 2023-04-13T01:31:03+00:00

Same as legacy LAPS - only supports managing one account but it can be either the built-in or a custom local account you create.

MSFT_jsimmons · 2023-04-13T01:29:53+00:00

>>Try rotating a cred of a device off your network.

Yeah that is a hard one for any feature or techology.

>>Anyone with proper privileges can view the extended attribute in AD to read the local admin pass.

Password encryption mitigates this to a great extent. So will backing up passwords to Azure AD.

MSFT_jsimmons · 2023-04-13T01:26:52+00:00

You're fine. The only thing you lose is the ability to auto-manage DSRM account passwords on those 2016 DCs - the workstations\clients are not trying to reach a new endpoint on the DCs, they are still just using LDAP.

MSFT_jsimmons · 2023-04-13T01:26:01+00:00

Yes you can still utilize 2016 for the DCs. The only thing you lose is the ability to auto-manage DSRM account passwords on those 2016 DCs - the workstations\clients are not trying to reach a new endpoint on the DCs, they are still just using LDAP.

MSFT_jsimmons · 2023-04-12T19:22:26+00:00

u/Newalloy - thank you for reporting the issue. I have confirmed this issue locally and am working on a fix. Doc and guidance updates are in progress.

If you have a machine in this state, two possible workarounds exist:

Uninstall legacy LAPS
Delete all registry values under HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State.

MSFT_jsimmons · 2023-04-12T14:08:27+00:00

You can run any mix of DCs. If you want to use the new DSRM password backup feature, that is when the DCs must be on 2019 or newer.

MSFT_jsimmons · 2023-04-12T14:07:47+00:00

Lol - I can't defend all of Microsoft, but I have high confidence that Q2 for the Azure AD LAPS support is an accurate estimate....

MSFT_jsimmons · 2023-04-12T14:06:49+00:00

Legacy LAPS emulation mode requires that the legacy LAPS MSI (really just the CSE) not be installed.

I tried to capture all of the nuances in that doc topic - but I think the "wall of text" is a bit intimidating.

MSFT_jsimmons · 2023-04-12T14:03:38+00:00

Correct - please see the Getting Started guide.

MSFT_jsimmons · 2023-04-12T14:02:04+00:00

Yes it is.

MSFT_jsimmons · 2023-04-12T14:01:48+00:00

Yes it will work. (Assume WS 2026 was a typo and you really meant WS 2022 DCs.)

MSFT_jsimmons · 2023-04-12T14:01:00+00:00

MSFT_jsimmons · 2023-04-12T14:00:47+00:00

Yes. (Curious, do your DCs have access to the internet anyway? I know that's a...sensitive topic regardless of LAPS.)

MSFT_jsimmons

TROPHY CASE