Skip to main content
Skip table of contents

Microsoft LAPS integration

Introduction

Microsoft provides the Local Administrator Password Solution (LAPS).
LAPS is a solution for the problem using a shared local account on each computer in the domain with an identical password.
LAPS solves this issue by setting a randomly chosen password on each computer in the domain for the shared local administrator account.
Domain administrators using this solution are able to determine, which users are authorized to read the passwords (e.g. Helpdesk-Administrators).

The passwords are arranged and saved randomly in Active Directory protected by Active Control Lists (ACL).
Only authorized users can read and request resetting these passwords.

Related Microsoft article: https://www.microsoft.com/en-us/download/details.aspx?id=46899

LAPS integration is also possible for Unix applications.

Implementation in VISULOX

Microsoft LAPS is addressed via VISULOX Resources for Windows and Unix applications.

Two types are available:

  • vlxResource=@LAPS_GLOBAL
  • vlxResource=@LAPS_USER

The resources are set via the Hints field of the application.

In case of @LAPS_USER, the password is querried with the user of the session.
Precondition is that the user is authorized.

In case of @LAPS_GLOBAL the password is querried with a VISULOX user.
This can either be the user, that is stored in the AD datasource or a user, which is depositted in an additional resource.


In Workspace the "Force Authentication" check box can be used to enter a different account, that is allowed to retrieve the LAPS credentials.

Configuration

The following VISULOX configuration parameters have to be adjusted:

ParameterDescription
laps.datasourceDatasource of the LAPS Service AD
(Needed to determine the LDAP server, where the LAPS passwords can be found.
If different from the users, a datasource has to be created, which imports the users and groups.)
laps.adminuser
Adminuser for client access

VISULOX Resources can be used, for example:

CODE 
vlxResource=@LAPS_GLOBAL:root

or if the Windows admin user is different:

CODE 
vlxResource=@LAPS_GLOBAL:serverAdmin
vlxResource=@LAPS_GLOBAL:clientAd
laps.audit

Successfull LAPS requests will be written to their session in VISULOX Audit

laps.filterLDAP query string to determine the password
laps.resourceAlternate user authorized to read LAPS passwords (if not the user of the datasource)
laps.domainDomain of the AD/LDAP server, that has the password


For access to a Windows system via LAPS, the FQDN of the host has to be assigned to the application.
This is the same name, that can be found in the LAPS data in Active Directory, usually in the attribute dNSHostName.


Hostnames longer than 15 characters

Computer objects in Microsoft Active Directory can not be longer than 15 characters.
If a computer with a longer hostname is jopined, it will be registered with a different "short name".

In this case the filter can be adjusted.

Therefore additional placeholders have been added to the laps.filter string:

regsub -all {%BASE%}$filter $base
regsub -all {%HOST%}$filter $host
regsub -all {%HOSTDOMAIN%}$filter $hostdomain
regsub -all {%SHORTHOST%}$filter $shorthost
regsub -all {%SHORTHOST_UPPERCASE%}$filter $shorthost_upper
regsub -all {%NETBIOS%}


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close