Open Mobile Menu


Who’s Managing your LAPS Implementation

Michael Becher

Written By: Michael Becher

January 07, 2020

Views: 846

In May 2015, Microsoft released a password management tool to combat the rising abuse of encrypted passwords (which effectively became encoded when Microsoft released the key) stored in Group Policy Preferences, or worse, in cleartext scripts pushed via GPO. Every domain user was able to access these preferences and scripts in the ‘SYSVOL’ share and could obtain the single local administrator password for all machines on the domain, which would provide total lateral movement opportunities within the domain. The necessary problem here is that at least one user has to be able to see these LAPS passwords to administer the process. Who within your domain has this power? You might be surprised at how often this is overlooked, thus leading to the availability of all these passwords to more users than intended.

Read more.