KACE & Microsoft LAPS
Has anyone used Microsoft LAPS with KACE? We currently have KACE setup to set the local admin password for us but we are thinking about implementing LAPS in our environment. I'm just wondering how that will work when KACE sets our local admin password. Will LAPS override KACE once the GPO gets applied to the computer?
Thanks!
0 Comments
[ + ] Show comments
Answers (1)
Please log in to answer
Posted by:
Nico_K
5 years ago
This works well and can be leveraged by KACE.
You can collect the info as CIR etc, so you have all in your appliance directly. The MS page shows you how to collect the info and from it a CIR can be created.
Since the agent works as SYSTEM service (and not as admin) the agent is not interfered.
Comments:
-
Do you happen to have screenshots of how you built your CIR? We are relatively new to CIR so I'm not sure how to do this.
Thanks! - abratton 5 years ago-
well, screenshots would not help you, since the scripts behind are slightly more complex and linked to MY domain (which you cannot use for that)
The whole setup with KACE (as like it is with any other producht!) is nothing for a small article, a consultant would pay the setup for a good price (the plan, setup and test was 2 weeks for my environment, but I may need really different stuff than you)
A good primer for the logic of LAPS is here:
https://learn-powershell.net/2016/10/08/setting-up-local-administrator-password-solution-laps/
As soon as you have the right commands (or created a script to provide the results) you can go into a CIR:
Go to Inventory|Software|New and fill out the Custom Inventory Rule. Depending on what results you produce with the script or the query you need to use different types.
Since most of the CIR are Registry Requests, Text results or dates, a ShellCommandDateReturn(YOURQUERYFORTHELASTPASSWORDCHANGE) would be the option. The mario block shows you a short info about it.
Keep in mind: for already automaticly inventoried software no CIR is possible. You need to add a new if you need additional info.
CIR have two effects:
1. all devices, which return a valid results are counted, so you can see in your software inventory, where the CIR has been run
2. all devices, which return a NON BOOLEAN results (like a ShellCommandTextReturn) add this result in addition to 1 also to the inventory of the device. - Nico_K 5 years ago-
I have my CIR built but I'm not sure if it is correct.
ShellCommandTextReturn(powershell.exe -command "Get-ADComputer –Identity computername -prop ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime"
I obviously want this to apply to all workstations that are managed but how can I distinguish it to look at whatever computer it is running on? - abratton 5 years ago
-
Also to answer your question (guess its too far down to reply directly to). Use the following:
get-adcomputer -identity $env:COMPUTERNAME to pull the current computer. - mtatro 5 years ago