CINXE.COM

Microsoft LAPS Security & Active Directory LAPS Configuration Recon – Active Directory Security

<!DOCTYPE html><!--[if IE 7]> <html class="ie ie7" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if IE 8]> <html class="ie ie8" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if !(IE 7) & !(IE 8)]><!--> <html lang="en-US" prefix="og: http://ogp.me/ns#"> <!--<![endif]--> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Microsoft LAPS Security &#038; Active Directory LAPS Configuration Recon &#8211; Active Directory Security</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Microsoft LAPS Security &#038; Active Directory LAPS Configuration Recon Comments Feed" href="https://adsecurity.org/?feed=rss2&#038;p=3164" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <style id='akismet-widget-style-inline-css' type='text/css'> .a-stats { --akismet-color-mid-green: #357b49; --akismet-color-white: #fff; --akismet-color-light-grey: #f6f7f7; max-width: 350px; width: auto; } .a-stats * { all: unset; box-sizing: border-box; } .a-stats strong { font-weight: 600; } .a-stats a.a-stats__link, .a-stats a.a-stats__link:visited, .a-stats a.a-stats__link:active { background: var(--akismet-color-mid-green); border: none; box-shadow: none; border-radius: 8px; color: var(--akismet-color-white); cursor: pointer; display: block; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen-Sans', 'Ubuntu', 'Cantarell', 'Helvetica Neue', sans-serif; font-weight: 500; padding: 12px; text-align: center; text-decoration: none; transition: all 0.2s ease; } /* Extra specificity to deal with TwentyTwentyOne focus style */ .widget .a-stats a.a-stats__link:focus { background: var(--akismet-color-mid-green); color: var(--akismet-color-white); text-decoration: none; } .a-stats a.a-stats__link:hover { filter: brightness(110%); box-shadow: 0 4px 12px rgba(0, 0, 0, 0.06), 0 0 2px rgba(0, 0, 0, 0.16); } .a-stats .count { color: var(--akismet-color-white); display: block; font-size: 1.5em; line-height: 1.4; padding: 0 13px; white-space: nowrap; } </style> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"1","enableStickyMenu":"","shouldShowComments":"1","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"1","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"1","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"8d42d3e379"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="alternate" type="application/json" href="https://adsecurity.org/index.php?rest_route=/wp/v2/posts/3164" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <link rel="canonical" href="https://adsecurity.org/?p=3164" /> <link rel='shortlink' href='https://adsecurity.org/?p=3164' /> <link rel="alternate" type="application/json+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&#038;url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D3164" /> <link rel="alternate" type="text/xml+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&#038;url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D3164&#038;format=xml" /> <script type="text/javascript"> var _statcounter = _statcounter || []; _statcounter.push({"tags": {"author": "SeanMetcalf"}}); </script> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <script type="application/ld+json">{"@context":"http:\/\/schema.org","@type":"Article","mainEntityOfPage":"https:\/\/adsecurity.org\/?p=3164","publisher":{"@type":"Organization","name":"Active Directory Security"},"headline":"Microsoft LAPS Security &#038; Active Directory LAPS Configuration Recon","datePublished":"2016-08-15T21:17:48+00:00","dateModified":"2016-08-16T21:44:08+00:00","description":"Over the years, there have been several methods attempted for managing local Administrator accounts: Scripted password change - Don't do this. The password is exposed in SYSVOL. Group Policy Preferences. The credentials are exposed in SYSVOL. Password vault\/safe product (Thycotic, CyberArk, Lieberman, Quest, Exceedium, etc). Microsoft Local Administrator Password Solution (LAPS). &nbsp; LAPS Overview Microsoft's ...","author":{"@type":"Person","name":"Sean Metcalf"},"image":["https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/08\/LAPS-Get-LAPS-Password-View-Admins.png"]}</script> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><meta property="og:type" content="article" /> <meta property="og:title" content="Microsoft LAPS Security &#038; Active Directory LAPS Configuration Recon" /> <meta property="og:url" content="https://adsecurity.org/?p=3164" /> <meta property="og:site_name" content="Active Directory Security" /> <meta property="og:description" content="Over the years, there have been several methods attempted for managing local Administrator accounts: Scripted password change - Don&#039;t do this. The password is exposed in SYSVOL. Group Policy Preferences. The credentials are exposed in SYSVOL. Password vault/safe product (Thycotic, CyberArk, Lieberman, Quest, Exceedium, etc). Microsoft Local Administrator Password Solution (LAPS). &nbsp; LAPS Overview Microsoft&#039;s ..." /> <meta property="og:updated_time" content="2016-08-16T21:44:08+00:00" /> <meta property="article:modified_time" content="2016-08-16T21:44:08+00:00" /> <meta property="article:published_time" content="2016-08-15T21:17:48+00:00" /> <meta property="og:image" content="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Get-LAPS-Password-View-Admins.png" /> <meta property="og:image:width" content="1200" /> <meta property="og:image:height" content="348" /> </head> <body class="post-template-default single single-post postid-3164 single-format-standard custom-background wp-embed-responsive layout-boxed two_col_left two-columns singular"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations&#039;s RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> <a href="https://adsecurity.org" title="Go back to the front page"> Active Directory Security </a> </p> <p class="header_desc">Active Directory &amp; Enterprise Security, Methods to Secure Active Directory, Attack Methods &amp; Effective Defenses, PowerShell, Tech Notes, &amp; Geek Trivia&#8230;</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li ><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense &#038; Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-8"> <div class="post-nav post-nav-top clearfix"> <p class="previous col-sm-6"><i class="fa fa-arrow-circle-left"></i> <a href="https://adsecurity.org/?p=2921" rel="prev">PowerShell Security: PowerShell Attack Tools, Mitigation, &#038; Detection</a></p> <p class="next-post col-sm-6"><a href="https://adsecurity.org/?p=3214" rel="next">DerbyCon 6 (2016) Talk &#8211; Attacking EvilCorp: Anatomy of a Corporate Hack</a> <i class="fa fa-arrow-circle-right"></i></p> </div> <div id="post-3164" class="clearfix post post-3164 type-post status-publish format-standard has-post-thumbnail hentry category-microsoft-security category-technical-reference tag-active-directory-laps tag-ad tag-admpwd-dll tag-change-local-administrator-password tag-find-admpwdextendedrights tag-hkey_local_machinesoftwaremicrosoftwindows-ntcurrentversionwinlogongpextensions tag-laps tag-laps-recon tag-local-admin-password-management tag-local-administrator-password-solution tag-microsoft-laps tag-ms-mcs-admpwd tag-ms-mcs-admpwdexpirationtime tag-powerview item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Aug</span> <span class="day">15</span> <span class="year">2016</span> </p> </div> <h1 class="post-title entry-title"> Microsoft LAPS Security &#038; Active Directory LAPS Configuration Recon </h1> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>Over the years, there have been several methods attempted for managing local Administrator accounts:</p> <ol> <li><a href="https://gallery.technet.microsoft.com/scriptcenter/c6ecba88-88ae-4e9d-9581-c0d27e20ebd6">Scripted password change</a> &#8211; Don&#8217;t do this. The password is exposed in SYSVOL.</li> <li><a href="https://adsecurity.org/?p=384">Group Policy Preferences</a>. The <a href="https://adsecurity.org/?p=2288">credentials are exposed in SYSVOL</a>.</li> <li>Password vault/safe product (Thycotic, CyberArk, Lieberman, Quest, Exceedium, etc).</li> <li><a href="https://technet.microsoft.com/en-us/library/security/3062591.aspx">Microsoft Local Administrator Password Solution (LAPS)</a>.</li> </ol> <p>&nbsp;</p> <h3>LAPS Overview</h3> <p>Microsoft&#8217;s LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. It&#8217;s important to ensure every computer changes their local Administrator password regularly, that it&#8217;s unique for every computer, there&#8217;s a way to track when it gets changed, and there&#8217;s a way to force password changes. I cover <a href="https://adsecurity.org/?p=1790">LAPS in an earlier post, including deployment, pros &amp; cons, among other information</a>.</p> <p>Here&#8217;s a quick overview of LAPS:</p> <ul> <li>Initial install which includes schema extensions &#8211; adds ms-mcs-AdmPwd (clear-text password) &amp; ms-mcs-AdmPwdExpirationTime (date/time when password expires which forces the LAPS client to reset the password) attributes to computer objects.</li> <li>Deploy the LAPS client to all computers to manage their local Administrator account password.</li> <li>Delegate all computers access to update the ms-mcs-AdmPwd &amp; ms-mcs-AdmPwdExpirationTime LAPS attributes on their own computer account (SELF write access).</li> <li>Delegate the LAPS computer attributes so the appropriate users have access to view the LAPS password and/or force a reset of the LAPS password (clearing the value of ms-mcs-AdmPwdExpirationTime forces the LAPS client to change the local Administrator password).</li> <li>Configure a new Group Policy Object (GPO) to enable &amp; configure LAPS management of local Administrator account password management.<br /> <a href="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GroupPolicy-Config.png"><img fetchpriority="high" decoding="async" class="alignnone wp-image-3172" src="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GroupPolicy-Config.png" alt="LAPS-GroupPolicy-Config" width="569" height="351" /></a></li> </ul> <p><em>Note that the LAPS GPO setting &#8220;Do not allow password expiration time longer than required by policy&#8221; is set to Enabled. This is important as you&#8217;ll see at the end of this post.</em></p> <p><span id="more-3164"></span></p> <h3>LAPS Key Points</h3> <p>There are a few interesting key points regarding LAPS:</p> <ul> <li>When the schema extension is performed, there are two new attributes created for computer objects in Active Directory: <ul> <li>ms-mcs-AdmPwd &#8211; a &#8220;<a href="https://support.microsoft.com/en-us/kb/922836">confidential</a>&#8221; computer attribute that stores the clear-text LAPS password. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users. This value is blank until the LAPS password is changed. No one but Domain Admins can view this attribute by default. For this reason, delegation of the ms-mcs-AdmPwd attribute has to be carefully planned and performed.</li> <li>ms-mcs-AdmPwdExpirationTime &#8211; a regular attribute computer attribute that stores the LAPS password reset date/time value in <a href="https://adsecurity.org/?p=378">integer8 </a>format. This value is blank until the LAPS password is changed. When the LAPS password is changed, the value in this attribute is updated based on the LAPS password change threshold (Password Age in days) configured in the LAPS GPO.</li> </ul> </li> <li>The interesting thing is that while only Domain Admins and delegated groups/accounts can view the LAPS password value stored in the ms-mcs-AdmPwd attribute, any authenticated user can view the value of the ms-mcs-AdmPwdExpirationTime attribute. This means that any user in the Active Directory forest (and any user in a trusted forest/domain) can enumerate the value of this attribute for all computers providing interesting LAPS information: <ul> <li>If a computer is managed by LAPS (no value vs value present)</li> <li>When the computer&#8217;s local Administrator password was last changed (read value in LAPS GPO and subtract this value from the date/time value in the attribute).</li> <li>If a computer&#8217;s local Administrator password is no longer managed by LAPS (value is equal to a date/time in the past).</li> </ul> </li> <li>The LAPS GPO Client Side Extension (CSE) runs at the client Group Policy refresh time (90 minutes by default plus a random offset of 0 &#8211; 30 minutes to ensure that all clients don&#8217;t refresh at the same time). At this time, the LAPS CSE checks the ms-mcs-AdmPwdExpirationTime value and if the value is less than the current date/time, LAPS will generate a new password (following settings in the LAPS config GPO), update the value on the computer object&#8217;s ms-mcs-AdmPwd attribute with this new password, and if successful, change the local account password to the newly generated password, and update the ms-mcs-AdmPwdExpirationTime attribute value to be today + the Password Age value in the LAPS GPO.</li> </ul> <h3>Identifying if LAPS is Installed on a Computer</h3> <p>When the LAPS client is installed, the Group Policy Client Side Extension (CSE) is configured on the computer. This is a DLL (admpwd.dll) located in c:\program files\LAPS\CSE and is configured in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.</p> <p>Using PowerShell, we can check for the presence of the DLL:</p> <pre> Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'</pre> <p>Using PowerShell v5, we can check the file hash &amp; hashing algorithm on the DLL:</p> <pre> Get-FileHash 'c:\program files\LAPS\CSE\Admpwd.dll'</pre> <p>Using PowerShell v5, we can check the digital signature on the DLL:</p> <pre> Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'</pre> <p>&nbsp;</p> <h3>Discovering LAPS in Active Directory</h3> <p>Since LAPS requires the computer attributes to be present, we can check to see if LAPS is &#8220;installed&#8221; in Active Directory by checking for the presence of the LAPS attributes in AD.</p> <p>Here we use the Active Directory PowerShell module cmdlet Get-ADObject to check for the LAPS password attribute ms-mcs-admpwd.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Recon-Schema-Attributes.png"><img decoding="async" class="alignnone size-full wp-image-3171" src="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Recon-Schema-Attributes.png" alt="LAPS-Recon-Schema-Attributes" width="1673" height="160" srcset="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Recon-Schema-Attributes.png 1673w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Recon-Schema-Attributes-300x29.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Recon-Schema-Attributes-768x73.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Recon-Schema-Attributes-1024x98.png 1024w" sizes="(max-width: 1673px) 100vw, 1673px" /></a></p> <p>&nbsp;</p> <h3>Identifying LAPS Password View Access (Delegation)</h3> <p>Active Directory objects and their attributes are typically accessible by Authenticated Users. This also includes the security permissions (ACLs) on the objects. Since we have the ability to view these permissions, including delegation, we can</p> <p>Using <a href="https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1">PowerView</a>, we can enumerate permissions in the Domain and OUs to discover LAPS attribute delegation.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetOU-FindLAPSDelegation.png"><img decoding="async" class="alignnone size-full wp-image-3143" src="https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetOU-FindLAPSDelegation.png" alt="AD-Recon-PowerView-GetNetOU-FindLAPSDelegation" width="1837" height="1250" srcset="https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetOU-FindLAPSDelegation.png 1837w, https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetOU-FindLAPSDelegation-300x204.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetOU-FindLAPSDelegation-768x523.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetOU-FindLAPSDelegation-1024x697.png 1024w" sizes="(max-width: 1837px) 100vw, 1837px" /></a></p> <p>Here we can see that on the Workstations OU (OU=Workstations, DC=lab,DC=adsecurity,DC=org), the &#8220;Workstation Admins&#8221; group is delegated read access (ReadProperty) for the ms-Mcs-AdmPwd attribute on computer objects (InheritedObjectType). The &#8220;Server Admins&#8221; group is also delegated read access to the ms-Mcs-AdmPwd attribute on computer objects in the Servers OU (OU=Servers, DC=lab,DC=adsecurity,DC=org). Furthermore, there is another group called &#8220;LAPS Password Admins&#8221; which is delegated read access to the ms-Mcs-AdmPwd attribute on computer objects in the Workstations OU (OU=Workstations, DC=lab,DC=adsecurity,DC=org).</p> <p>From this information we know there are three AD groups that have view access to LAPS passwords on one or more OU:</p> <ul> <li>Workstation Admins</li> <li>Server Admins</li> <li>LAPS Password Admins</li> </ul> <p>With this data, we can get a list of accounts that have LAPS password view access in the domain.<br /> The easy way to do this is to get membership of all the identified delegation groups (and their sub-groups) and enumerate all unique members.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Get-LAPS-Password-View-Admins.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3195" src="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Get-LAPS-Password-View-Admins.png" alt="LAPS-Get-LAPS-Password-View-Admins" width="1307" height="379" srcset="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Get-LAPS-Password-View-Admins.png 1307w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Get-LAPS-Password-View-Admins-300x87.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Get-LAPS-Password-View-Admins-768x223.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Get-LAPS-Password-View-Admins-1024x297.png 1024w" sizes="(max-width: 1307px) 100vw, 1307px" /></a></p> <p>With this information, we know what accounts in Active Directory have the ability to view LAPS password data for at least one OU.<br /> Since Active Delegation is challenging to get right, though the LAPS PowerShell scripts make it pretty straightforward, and even more difficult to track and report on.</p> <p>&nbsp;</p> <h3>Backdoor to View LAPS Password Data</h3> <p>If a group is delegated &#8220;All Extended Rights&#8221; to an OU that contains computers managed by LAPS, this group has the ability to view confidential attributes, including the LAPS attribute ms-mcs-admpwd which contains the clear text password. Any group with these rights should be evaluated and removed if necessary. Domain Admins has this right by default, as does SYSTEM. Leave SYSTEM alone.</p> <p>The issue is this may include groups that shouldn&#8217;t have LAPS password view access.<br /> We can enumerate these rights using the LAPS PowerShell module cmdlet &#8220;Find-AdmPwdExtendedRights&#8221;.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Delegation-AllExtendedRights-HelpDeskLevel3.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3202" src="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Delegation-AllExtendedRights-HelpDeskLevel3.png" alt="LAPS-Delegation-AllExtendedRights-HelpDeskLevel3" width="1237" height="206" srcset="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Delegation-AllExtendedRights-HelpDeskLevel3.png 1237w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Delegation-AllExtendedRights-HelpDeskLevel3-300x50.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Delegation-AllExtendedRights-HelpDeskLevel3-768x128.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-Delegation-AllExtendedRights-HelpDeskLevel3-1024x171.png 1024w" sizes="(max-width: 1237px) 100vw, 1237px" /></a></p> <p>In this scenario, Help Desk Level 3 Admins should *not* have access to view passwords on the Workstations OU.</p> <p>Additionally, if a group/account has &#8220;<a href="https://technet.microsoft.com/en-us/library/dd125370(v=ws.10).aspx">Owner Rights</a>&#8221; on the computer objects, then the group/account has the ability to modify permissions on the objects and attributes. I&#8217;ll cover AD rights more in a later post.</p> <h3>Discovering LAPS Password Data</h3> <p>Once we have the appropriate rights (in this example, an account that&#8217;s a member of LAPS Password Admins group) we can pull the list of computers and their LAPS passwords.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-Recon-LAPS-Password-and-ExpirationTime.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3178" src="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-Recon-LAPS-Password-and-ExpirationTime.png" alt="LAPS-GetADComputer-Recon-LAPS-Password-and-ExpirationTime" width="1720" height="920" srcset="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-Recon-LAPS-Password-and-ExpirationTime.png 1720w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-Recon-LAPS-Password-and-ExpirationTime-300x160.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-Recon-LAPS-Password-and-ExpirationTime-768x411.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-Recon-LAPS-Password-and-ExpirationTime-1024x548.png 1024w" sizes="(max-width: 1720px) 100vw, 1720px" /></a></p> <p>&nbsp;</p> <h3>Identifying LAPS Computer Management</h3> <p>Since the LAPS computer attribute ms-mcs-AdmPwdExpirationTime is a regular attribute, authenticated users have read access, we can track LAPS usage in an environment, including the discovery of computers being managed by LAPS as well as those that aren&#8217;t actively LAPS managed.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3176" src="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results.png" alt="LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results" width="1562" height="859" srcset="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results.png 1562w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-300x165.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-768x422.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-1024x563.png 1024w" sizes="(max-width: 1562px) 100vw, 1562px" /></a></p> <p>The fun thing about this is if delegation of the ms-Mcs-AdmPwdExpirationTime attribute is too broad, compromise of one of these accounts can change the value of this attribute to be a date/time far in the future, just forcing the local administrator password to not change until then. This is handy for an attacker who has identified the LAPS password(s) and can then extend the use of these passwords.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-After-Modification-To-Future-Date.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3177" src="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-After-Modification-To-Future-Date.png" alt="LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-After-Modification-To-Future-Date" width="1561" height="993" srcset="https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-After-Modification-To-Future-Date.png 1561w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-After-Modification-To-Future-Date-300x191.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-After-Modification-To-Future-Date-768x489.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/LAPS-GetADComputer-ms-mcs-admpwdexpirationtime-Results-After-Modification-To-Future-Date-1024x651.png 1024w" sizes="(max-width: 1561px) 100vw, 1561px" /></a></p> <p>That&#8217;s interesting&#8230; One of the computers has an expiration date well past the 30 days configured in the GPO. This means that the LAPS CSE won&#8217;t change the local admin password until after that date. Nice little LAPS hack. 馃檪</p> <p><strong>Note:</strong><br /> The scenario in the last graphic &#8211; preventing LAPS from updating the local password until some point in the future only works if the LAPS GPO setting &#8220;<em>Do not allow password expiration time longer than required by policy</em>&#8221; is set to &#8220;Not Configured&#8221; or &#8220;Disabled&#8221;.<br /> The best way to mitigate this potential issue is to ensure the LAPS GPO setting &#8220;<em>Do not allow password expiration time longer than required by policy</em>&#8221; is set to &#8220;Enabeld&#8221; as shown in the graphic at the beginning of this post.</p> <p>&nbsp;</p> <div class="tptn_counter" id="tptn_counter_3164">(Visited 146,174 times, 1 visits today)</div> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-1012" href="https://adsecurity.org/?tag=active-directory-laps">Active Directory LAPS</a>, <a class="term term-tagpost_tag term-1013" href="https://adsecurity.org/?tag=ad">AD</a>, <a class="term term-tagpost_tag term-1009" href="https://adsecurity.org/?tag=admpwd-dll">admpwd.dll</a>, <a class="term term-tagpost_tag term-1010" href="https://adsecurity.org/?tag=change-local-administrator-password">Change Local Administrator Password</a>, <a class="term term-tagpost_tag term-1014" href="https://adsecurity.org/?tag=find-admpwdextendedrights">Find-AdmPwdExtendedRights</a>, <a class="term term-tagpost_tag term-1008" href="https://adsecurity.org/?tag=hkey_local_machinesoftwaremicrosoftwindows-ntcurrentversionwinlogongpextensions">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions</a>, <a class="term term-tagpost_tag term-631" href="https://adsecurity.org/?tag=laps">LAPS</a>, <a class="term term-tagpost_tag term-1007" href="https://adsecurity.org/?tag=laps-recon">LAPS Recon</a>, <a class="term term-tagpost_tag term-1011" href="https://adsecurity.org/?tag=local-admin-password-management">Local Admin password management</a>, <a class="term term-tagpost_tag term-1006" href="https://adsecurity.org/?tag=local-administrator-password-solution">Local Administrator Password Solution</a>, <a class="term term-tagpost_tag term-1005" href="https://adsecurity.org/?tag=microsoft-laps">Microsoft LAPS</a>, <a class="term term-tagpost_tag term-633" href="https://adsecurity.org/?tag=ms-mcs-admpwd">ms-Mcs-AdmPwd</a>, <a class="term term-tagpost_tag term-634" href="https://adsecurity.org/?tag=ms-mcs-admpwdexpirationtime">ms-Mcs-AdmPwdExpirationTime</a>, <a class="term term-tagpost_tag term-696" href="https://adsecurity.org/?tag=powerview">PowerView</a></span></li> <li class="addthis col-sm-8"><div class="add-this"></div></li> </ul> </div> </div> <div class="entry-author"> <div class="row"> <div class="author-avatar col-sm-3"> <a href="https://adsecurity.org/?author=2" rel="author"> <img alt='' src='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=200&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=400&#038;d=mm&#038;r=g 2x' class='avatar avatar-200 photo' height='200' width='200' loading='lazy' decoding='async'/> </a> </div> <div class="author-bio col-sm-9"> <h3 class="section-title-sm">Sean Metcalf</h3> <p>I improve security for enterprises around the world working for TrimarcSecurity.com<br /> Read the About page (top left) for information about me. :)<br /> https://adsecurity.org/?page_id=8</p> <ul class="author-social"> <li><a href="mailto:sean@adsecurity.org"><i class="fa fa-envelope-o"></i></a></li> </ul> </div> </div> </div> <div id="comments" class="clearfix no-ping"> <h4 class="comments current"> <i class="fa fa-comments-o"></i> 2 comments </h4> <div class="comments-list-wrapper"> <ol class="clearfix comments-list" id="comments_list"> <li id="comment-10761" class="comment even thread-even depth-1 comment"> <div class="row"> <div class="comment-wrap col-md-12"> <ul class="comment-meta"> <li class="comment-avatar"><img alt='' src='https://secure.gravatar.com/avatar/6064a01309333436b65a9dc192f6dbea?s=50&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/6064a01309333436b65a9dc192f6dbea?s=100&#038;d=mm&#038;r=g 2x' class='avatar avatar-50 photo' height='50' width='50' loading='lazy' decoding='async'/></li> <li class="comment-attr"><span class="comment-author">Ryan</span> on <span class="comment-date">August 16, 2016 <span class="time">at 5:13 am</span></span></li> <li class="single-comment-link"><a href="https://adsecurity.org/?p=3164#comment-10761">#</a></li> </ul> <div class="comment-entry"> <p>I would be interested to know your thoughts on the password stored in clear text? Our security team are not happy to approve LAPS as they see that as a security risk and want the password encrypted. </p> <p>my initial thoughts are that the password is stored on a confidential attribute so you would need to compromise AD and the ACLs to get access which at that point does it really matter where your passwords are stored..don&#8217;t you have bigger issues?</p> </div> </div> </div> <ol class="children"> <li id="comment-10766" class="comment byuser comment-author-seanmetcalf bypostauthor odd alt depth-2 comment"> <div class="row"> <div class="comment-wrap col-md-12"> <ul class="comment-meta"> <li class="comment-avatar"><img alt='' src='https://secure.gravatar.com/avatar/843fd885d49f892c4bc60ed0f9eef40b?s=50&#038;d=mm&#038;r=g' srcset='https://secure.gravatar.com/avatar/843fd885d49f892c4bc60ed0f9eef40b?s=100&#038;d=mm&#038;r=g 2x' class='avatar avatar-50 photo' height='50' width='50' loading='lazy' decoding='async'/></li> <li class="comment-attr"><span class="comment-author"><a href="https://ADSecurity.org" rel="external">Sean Metcalf</a></span> on <span class="comment-date">August 16, 2016 <span class="time">at 9:47 pm</span></span><br /><span class="label label-primary author-cred">Author</span></li> <li class="single-comment-link"><a href="https://adsecurity.org/?p=3164#comment-10766">#</a></li> </ul> <div class="comment-entry"> <p>I agree that it would be better if the password was encrypted and note as much in my earlier post on LAPS (<a href="https://adsecurity.org/?p=1790" rel="ugc">https://adsecurity.org/?p=1790</a>).<br /> Since the password is stored in a confidential attribute which only Domain Admins have access to by default (not including custom delegation), the password data is appropriately secured. IF the issue is the difference between changing local admin passwords versus not, the answer is simple, use LAPS (or another password management solution).</p> </div> </div> </div> </li><!-- #comment-## --> </ol><!-- .children --> </li><!-- #comment-## --> </ol> </div> </div> <div id="respond"> <h3 id="reply-title"><i class="fa fa-comment-o"></i> Comments have been disabled.</h3> </div> </div><!-- #content-main --> <div id="sidebar1" class="sidebar sidebar-right widget-area col-md-4"> <div id="recent-posts-4" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin &#8211; The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations &#8211; Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript &#8211; Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="text-3" class="sidebar-wrap widget_text"><h3>Trimarc Active Directory Security Services</h3> <div class="textwidget">Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. <p> <a href="http://trimarcsecurity.com/security-services">Find out how...</a> TrimarcSecurity.com</div> </div><div id="widget_tptn_pop-4" class="sidebar-wrap tptn_posts_list_widget"><h3>Popular Posts</h3><div class="tptn_posts tptn_posts_widget tptn_posts_widget4"><ul><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=478" class="tptn_link"><span class="tptn_title">PowerShell Encoding &#038; Decoding (Base64)</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2362" class="tptn_link"><span class="tptn_title">Attack Methods for Gaining Domain Admin Rights in&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=483" class="tptn_link"><span class="tptn_title">Kerberos &#038; KRBTGT: Active Directory&#8217;s&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2288" class="tptn_link"><span class="tptn_title">Finding Passwords in SYSVOL &#038; Exploiting Group&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3377" class="tptn_link"><span class="tptn_title">Securing Domain Controllers to Improve Active&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3299" class="tptn_link"><span class="tptn_title">Securing Windows Workstations: Developing a Secure Baseline</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3458" class="tptn_link"><span class="tptn_title">Detecting Kerberoasting Activity</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=1729" class="tptn_link"><span class="tptn_title">Mimikatz DCSync Usage, Exploitation, and Detection</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3658" class="tptn_link"><span class="tptn_title">Scanning for Active Directory Privileges &#038;&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3164" class="tptn_link"><span class="tptn_title">Microsoft LAPS Security &#038; Active Directory LAPS&hellip;</span></a></span></li></ul><div class="tptn_clear"></div></div></div><div id="categories-4" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="tag_cloud-3" class="sidebar-wrap widget_tag_cloud"><h3>Tags</h3><div class="tagcloud"><a href="https://adsecurity.org/?tag=activedirectory" class="tag-cloud-link tag-link-20 tag-link-position-1" style="font-size: 22pt;" aria-label="ActiveDirectory (55 items)">ActiveDirectory</a> <a href="https://adsecurity.org/?tag=active-directory" class="tag-cloud-link tag-link-75 tag-link-position-2" style="font-size: 10.453608247423pt;" aria-label="Active Directory (8 items)">Active Directory</a> <a href="https://adsecurity.org/?tag=active-directory-security" class="tag-cloud-link tag-link-976 tag-link-position-3" style="font-size: 9.7319587628866pt;" aria-label="Active Directory Security (7 items)">Active Directory Security</a> <a href="https://adsecurity.org/?tag=activedirectorysecurity" class="tag-cloud-link tag-link-113 tag-link-position-4" style="font-size: 13.773195876289pt;" aria-label="ActiveDirectorySecurity (14 items)">ActiveDirectorySecurity</a> <a href="https://adsecurity.org/?tag=adreading" class="tag-cloud-link tag-link-5 tag-link-position-5" style="font-size: 13.340206185567pt;" aria-label="ADReading (13 items)">ADReading</a> <a href="https://adsecurity.org/?tag=ad-security" class="tag-cloud-link tag-link-100 tag-link-position-6" style="font-size: 8pt;" aria-label="AD Security (5 items)">AD Security</a> <a href="https://adsecurity.org/?tag=adsecurity" class="tag-cloud-link tag-link-86 tag-link-position-7" style="font-size: 10.453608247423pt;" aria-label="ADSecurity (8 items)">ADSecurity</a> <a href="https://adsecurity.org/?tag=azure" class="tag-cloud-link tag-link-25 tag-link-position-8" style="font-size: 8pt;" aria-label="Azure (5 items)">Azure</a> <a href="https://adsecurity.org/?tag=azuread" class="tag-cloud-link tag-link-136 tag-link-position-9" style="font-size: 8pt;" aria-label="AzureAD (5 items)">AzureAD</a> <a href="https://adsecurity.org/?tag=dcsync" class="tag-cloud-link tag-link-598 tag-link-position-10" style="font-size: 10.453608247423pt;" aria-label="DCSync (8 items)">DCSync</a> <a href="https://adsecurity.org/?tag=domaincontroller" class="tag-cloud-link tag-link-101 tag-link-position-11" style="font-size: 15.216494845361pt;" aria-label="DomainController (18 items)">DomainController</a> <a href="https://adsecurity.org/?tag=goldenticket" class="tag-cloud-link tag-link-303 tag-link-position-12" style="font-size: 11.175257731959pt;" aria-label="GoldenTicket (9 items)">GoldenTicket</a> <a href="https://adsecurity.org/?tag=grouppolicy" class="tag-cloud-link tag-link-196 tag-link-position-13" style="font-size: 8pt;" aria-label="GroupPolicy (5 items)">GroupPolicy</a> <a href="https://adsecurity.org/?tag=hyperv" class="tag-cloud-link tag-link-3 tag-link-position-14" style="font-size: 8pt;" aria-label="HyperV (5 items)">HyperV</a> <a href="https://adsecurity.org/?tag=invoke-mimikatz" class="tag-cloud-link tag-link-336 tag-link-position-15" style="font-size: 10.453608247423pt;" aria-label="Invoke-Mimikatz (8 items)">Invoke-Mimikatz</a> <a href="https://adsecurity.org/?tag=kb3011780" class="tag-cloud-link tag-link-337 tag-link-position-16" style="font-size: 9.7319587628866pt;" aria-label="KB3011780 (7 items)">KB3011780</a> <a href="https://adsecurity.org/?tag=kdc" class="tag-cloud-link tag-link-80 tag-link-position-17" style="font-size: 8pt;" aria-label="KDC (5 items)">KDC</a> <a href="https://adsecurity.org/?tag=kerberos" class="tag-cloud-link tag-link-81 tag-link-position-18" style="font-size: 15.216494845361pt;" aria-label="Kerberos (18 items)">Kerberos</a> <a href="https://adsecurity.org/?tag=kerberoshacking" class="tag-cloud-link tag-link-298 tag-link-position-19" style="font-size: 11.752577319588pt;" aria-label="KerberosHacking (10 items)">KerberosHacking</a> <a href="https://adsecurity.org/?tag=krbtgt" class="tag-cloud-link tag-link-394 tag-link-position-20" style="font-size: 9.7319587628866pt;" aria-label="KRBTGT (7 items)">KRBTGT</a> <a href="https://adsecurity.org/?tag=laps" class="tag-cloud-link tag-link-631 tag-link-position-21" style="font-size: 9.0103092783505pt;" aria-label="LAPS (6 items)">LAPS</a> <a href="https://adsecurity.org/?tag=lsass" class="tag-cloud-link tag-link-71 tag-link-position-22" style="font-size: 11.175257731959pt;" aria-label="LSASS (9 items)">LSASS</a> <a href="https://adsecurity.org/?tag=mcm" class="tag-cloud-link tag-link-6 tag-link-position-23" style="font-size: 14.061855670103pt;" aria-label="MCM (15 items)">MCM</a> <a href="https://adsecurity.org/?tag=microsoftemet" class="tag-cloud-link tag-link-58 tag-link-position-24" style="font-size: 11.175257731959pt;" aria-label="MicrosoftEMET (9 items)">MicrosoftEMET</a> <a href="https://adsecurity.org/?tag=microsoftwindows" class="tag-cloud-link tag-link-102 tag-link-position-25" style="font-size: 9.7319587628866pt;" aria-label="MicrosoftWindows (7 items)">MicrosoftWindows</a> <a href="https://adsecurity.org/?tag=mimikatz" class="tag-cloud-link tag-link-207 tag-link-position-26" style="font-size: 18.103092783505pt;" aria-label="mimikatz (29 items)">mimikatz</a> <a href="https://adsecurity.org/?tag=ms14068" class="tag-cloud-link tag-link-295 tag-link-position-27" style="font-size: 11.175257731959pt;" aria-label="MS14068 (9 items)">MS14068</a> <a href="https://adsecurity.org/?tag=passthehash" class="tag-cloud-link tag-link-44 tag-link-position-28" style="font-size: 9.7319587628866pt;" aria-label="PassTheHash (7 items)">PassTheHash</a> <a href="https://adsecurity.org/?tag=powershell" class="tag-cloud-link tag-link-575 tag-link-position-29" style="font-size: 18.536082474227pt;" aria-label="PowerShell (31 items)">PowerShell</a> <a href="https://adsecurity.org/?tag=powershellcode" class="tag-cloud-link tag-link-22 tag-link-position-30" style="font-size: 14.927835051546pt;" aria-label="PowerShellCode (17 items)">PowerShellCode</a> <a href="https://adsecurity.org/?tag=powershellhacking" class="tag-cloud-link tag-link-68 tag-link-position-31" style="font-size: 8pt;" aria-label="PowerShellHacking (5 items)">PowerShellHacking</a> <a href="https://adsecurity.org/?tag=powershellv5" class="tag-cloud-link tag-link-69 tag-link-position-32" style="font-size: 8pt;" aria-label="PowerShellv5 (5 items)">PowerShellv5</a> <a href="https://adsecurity.org/?tag=powersploit" class="tag-cloud-link tag-link-232 tag-link-position-33" style="font-size: 10.453608247423pt;" aria-label="PowerSploit (8 items)">PowerSploit</a> <a href="https://adsecurity.org/?tag=presentation" class="tag-cloud-link tag-link-422 tag-link-position-34" style="font-size: 9.7319587628866pt;" aria-label="Presentation (7 items)">Presentation</a> <a href="https://adsecurity.org/?tag=security" class="tag-cloud-link tag-link-576 tag-link-position-35" style="font-size: 8pt;" aria-label="Security (5 items)">Security</a> <a href="https://adsecurity.org/?tag=silverticket" class="tag-cloud-link tag-link-304 tag-link-position-36" style="font-size: 11.175257731959pt;" aria-label="SilverTicket (9 items)">SilverTicket</a> <a href="https://adsecurity.org/?tag=sneakyadpersistence" class="tag-cloud-link tag-link-596 tag-link-position-37" style="font-size: 9.0103092783505pt;" aria-label="SneakyADPersistence (6 items)">SneakyADPersistence</a> <a href="https://adsecurity.org/?tag=spn" class="tag-cloud-link tag-link-294 tag-link-position-38" style="font-size: 9.0103092783505pt;" aria-label="SPN (6 items)">SPN</a> <a href="https://adsecurity.org/?tag=tgs" class="tag-cloud-link tag-link-528 tag-link-position-39" style="font-size: 9.0103092783505pt;" aria-label="TGS (6 items)">TGS</a> <a href="https://adsecurity.org/?tag=tgt" class="tag-cloud-link tag-link-529 tag-link-position-40" style="font-size: 9.0103092783505pt;" aria-label="TGT (6 items)">TGT</a> <a href="https://adsecurity.org/?tag=windows7" class="tag-cloud-link tag-link-117 tag-link-position-41" style="font-size: 8pt;" aria-label="Windows7 (5 items)">Windows7</a> <a href="https://adsecurity.org/?tag=windows10" class="tag-cloud-link tag-link-494 tag-link-position-42" style="font-size: 10.453608247423pt;" aria-label="Windows10 (8 items)">Windows10</a> <a href="https://adsecurity.org/?tag=windowsserver2008r2" class="tag-cloud-link tag-link-46 tag-link-position-43" style="font-size: 9.0103092783505pt;" aria-label="WindowsServer2008R2 (6 items)">WindowsServer2008R2</a> <a href="https://adsecurity.org/?tag=windowsserver2012" class="tag-cloud-link tag-link-47 tag-link-position-44" style="font-size: 11.175257731959pt;" aria-label="WindowsServer2012 (9 items)">WindowsServer2012</a> <a href="https://adsecurity.org/?tag=windowsserver2012r2" class="tag-cloud-link tag-link-54 tag-link-position-45" style="font-size: 9.7319587628866pt;" aria-label="WindowsServer2012R2 (7 items)">WindowsServer2012R2</a></div> </div><div id="search-2" class="sidebar-wrap widget_search"><form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form></div> <div id="recent-posts-2" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin &#8211; The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations &#8211; Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript &#8211; Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="recent-comments-2" class="sidebar-wrap widget_recent_comments"><h3>Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Derek</span> on <a href="https://adsecurity.org/?p=3592#comment-13603">Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3782#comment-13545">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Brad</span> on <a href="https://adsecurity.org/?p=3782#comment-13544">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Joonas</span> on <a href="https://adsecurity.org/?p=3719#comment-13229">Gathering AD Data with the Active Directory PowerShell Module</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3719#comment-13215">Gathering AD Data with the Active Directory PowerShell Module</a></li></ul></div><div id="archives-2" class="sidebar-wrap widget_archive"><h3>Archives</h3> <ul> <li><a href='https://adsecurity.org/?m=202406'>June 2024</a></li> <li><a href='https://adsecurity.org/?m=202405'>May 2024</a></li> <li><a href='https://adsecurity.org/?m=202005'>May 2020</a></li> <li><a href='https://adsecurity.org/?m=202001'>January 2020</a></li> <li><a href='https://adsecurity.org/?m=201908'>August 2019</a></li> <li><a href='https://adsecurity.org/?m=201903'>March 2019</a></li> <li><a href='https://adsecurity.org/?m=201902'>February 2019</a></li> <li><a href='https://adsecurity.org/?m=201810'>October 2018</a></li> <li><a href='https://adsecurity.org/?m=201808'>August 2018</a></li> <li><a href='https://adsecurity.org/?m=201805'>May 2018</a></li> <li><a href='https://adsecurity.org/?m=201801'>January 2018</a></li> <li><a href='https://adsecurity.org/?m=201711'>November 2017</a></li> <li><a href='https://adsecurity.org/?m=201708'>August 2017</a></li> <li><a href='https://adsecurity.org/?m=201706'>June 2017</a></li> <li><a href='https://adsecurity.org/?m=201705'>May 2017</a></li> <li><a href='https://adsecurity.org/?m=201702'>February 2017</a></li> <li><a href='https://adsecurity.org/?m=201701'>January 2017</a></li> <li><a href='https://adsecurity.org/?m=201611'>November 2016</a></li> <li><a href='https://adsecurity.org/?m=201610'>October 2016</a></li> <li><a href='https://adsecurity.org/?m=201609'>September 2016</a></li> <li><a href='https://adsecurity.org/?m=201608'>August 2016</a></li> <li><a href='https://adsecurity.org/?m=201607'>July 2016</a></li> <li><a href='https://adsecurity.org/?m=201606'>June 2016</a></li> <li><a href='https://adsecurity.org/?m=201604'>April 2016</a></li> <li><a href='https://adsecurity.org/?m=201603'>March 2016</a></li> <li><a href='https://adsecurity.org/?m=201602'>February 2016</a></li> <li><a href='https://adsecurity.org/?m=201601'>January 2016</a></li> <li><a href='https://adsecurity.org/?m=201512'>December 2015</a></li> <li><a href='https://adsecurity.org/?m=201511'>November 2015</a></li> <li><a href='https://adsecurity.org/?m=201510'>October 2015</a></li> <li><a href='https://adsecurity.org/?m=201509'>September 2015</a></li> <li><a href='https://adsecurity.org/?m=201508'>August 2015</a></li> <li><a href='https://adsecurity.org/?m=201507'>July 2015</a></li> <li><a href='https://adsecurity.org/?m=201506'>June 2015</a></li> <li><a href='https://adsecurity.org/?m=201505'>May 2015</a></li> <li><a href='https://adsecurity.org/?m=201504'>April 2015</a></li> <li><a href='https://adsecurity.org/?m=201503'>March 2015</a></li> <li><a href='https://adsecurity.org/?m=201502'>February 2015</a></li> <li><a href='https://adsecurity.org/?m=201501'>January 2015</a></li> <li><a href='https://adsecurity.org/?m=201412'>December 2014</a></li> <li><a href='https://adsecurity.org/?m=201411'>November 2014</a></li> <li><a href='https://adsecurity.org/?m=201410'>October 2014</a></li> <li><a href='https://adsecurity.org/?m=201409'>September 2014</a></li> <li><a href='https://adsecurity.org/?m=201408'>August 2014</a></li> <li><a href='https://adsecurity.org/?m=201407'>July 2014</a></li> <li><a href='https://adsecurity.org/?m=201406'>June 2014</a></li> <li><a href='https://adsecurity.org/?m=201405'>May 2014</a></li> <li><a href='https://adsecurity.org/?m=201404'>April 2014</a></li> <li><a href='https://adsecurity.org/?m=201403'>March 2014</a></li> <li><a href='https://adsecurity.org/?m=201402'>February 2014</a></li> <li><a href='https://adsecurity.org/?m=201307'>July 2013</a></li> <li><a href='https://adsecurity.org/?m=201211'>November 2012</a></li> <li><a href='https://adsecurity.org/?m=201203'>March 2012</a></li> <li><a href='https://adsecurity.org/?m=201202'>February 2012</a></li> </ul> </div><div id="categories-2" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="meta-2" class="sidebar-wrap widget_meta"><h3>Meta</h3> <ul> <li><a href="https://adsecurity.org/wp-login.php">Log in</a></li> <li><a href="https://adsecurity.org/?feed=rss2">Entries feed</a></li> <li><a href="https://adsecurity.org/?feed=comments-rss2">Comments feed</a></li> <li><a href="https://wordpress.org/">WordPress.org</a></li> </ul> </div> </div><!-- #sidebar1 --> </div><!-- #content --> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright 漏 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div><!-- #footer --> </div><!-- #container --> <!-- Start of StatCounter Code --> <script> <!-- var sc_project=10100711; var sc_security="4b306538"; var sc_invisible=1; </script> <script type="text/javascript" src="https://www.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript> <!-- End of StatCounter Code --> <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script type="text/javascript" id="tptn_tracker-js-extra"> /* <![CDATA[ */ var ajax_tptn_tracker = {"ajax_url":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","top_ten_id":"3164","top_ten_blog_id":"1","activate_counter":"11","top_ten_debug":"0","tptn_rnd":"426566198"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/top-10/includes/js/top-10-tracker.min.js?ver=1.0" id="tptn_tracker-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10