Windows LAPS

Windows LAPS KB ID 0001822

Problem

We used to have Microsoft LAPS, now we have Windows LAPS! LAPS is a solution that lets’ you store admin passwords ‘elsewhere‘ be that in your local Active Directory or Azure Active Directory*. Unlike previously, where you had to deploy/install client software, it’s now built into Windows from the following versions.

  • Windows 11 22H2 – April 11 2023 Update
  • Windows 11 21H2 – April 11 2023 Update
  • Windows 10 – April 11 2023 Update
  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

*Note: Is in the pipeline at time of writing traditional (on-premises) AD only is supported.

The premise is that instead of having a single (easily compromised) local admin password (or DSRM password on a DC) for your assets you can have a different password (that can be controlled with a complexity policy) for each client/server and that password is stored securely in Active Directory, (as an attribute of the computer object).

  Backup to Azure AD Backup to Local  (On-Premises) AD
Azure AD Joined Yes No
Local (On-Premises)  Joined No Yes
Hybrid Joined Yes (if not backed up to on-premises AD) Yes (if not backed up to Azure AD)
Workplace Joined No No

Solution: Windows LAPS

Firstly, FULLY update all the domain controllers in the domain.

On a DC you can load the LAPS module and look at the commandlets.

[box]

ipmo LAPS
gcm -Module

[/box]

From these commandlets the first one we need to use is Update-LapsAdSchema, this will extend the active directory schema and add the LAPS attributes to the computer objects.

[box]

Update-LapsAdSchema

[/box]

It will ask you con conform you can watch each step by pressing Y – or if you’re lazy (like me) simply press A {Enter}.

You can’t really see what it is doing, but if you’re interested, you can run the same command again with a -verbose switch on it to see exactly what going on.

OK, but what has that done? Well as I said above, the computer objects have been extended and they now have ALL have the following attributes.

Note: Yes, there’s now a LAPS tab also, but there won’t be anything in there yet.

The next commandlet we need, Set-LapsADComputerSelfPermission, will grant the computer object the rights to manage its own LAPS password, You can set this on the root of the domain if you wish. Here I have all my computer objects in an OU called PNL so I’m applying that right at the TOP LEVEL OU, and it will apply to all children OUs.

[box]

Set-LapsADComputerSelfPermission -Identity "OU=PNL,DC=pnl,DC=com"

[/box]

Setting Windows LAPS Settings via Group Policy

Create a new GPO (or edit an existing one) that links to the OU where your COMPUTER objects live. (remember if managing DSRM passwords you will also need to link the policy to the Domain Controllers OU also).

Edit the Policy and navigate to;

[box]

Computer configuration > Policies > Administrative Templates > System > LAPS

[/box]

Note: If you have a LAPS folder directly under Administrative Templates, that’s for the older Microsoft LAPS settings!

Policies to edit;

  1. Enable Password Backup for DSRM accounts : Enable
  2. Name of administrator account to manage : Enable  > laps.admin
  3. Configure Password Backup Directory : Enable > Active Directory

Note: If you already have a local admin account, built into you master computer image for example, you can use that account instead.

Further policy to edit;

  1. Password settings : Enable > (I accept the defaults)

The screen shot below shows how the policy should look before you exit the group policy editor.

Windows LAPS Local Admin

Here I’ve manually created the local user, you can either roll this out by script, GPO, or building the account into the your default image for OS deployment.

Retrieving Windows LAPS Passwords

Below you can see we can retrieve both a local Windows LAPS password for a client, or a DSRM password for a domain controller.

Simply click Show password and Copy password, and the password will be on the clipboard (as shown).

To get the password via PowerShell use the Get-LapsADPassword commandlet.

[box]

Get-LapsADPassword "PNL-Win11" -AsPlainText

[/box]

Troubleshooting Windows LAPS

The update also allows you to view LAPS event logs in the Event Viewer, like so.

Interoperability Microsoft LAPS and Window LAPS

If you have the older Microsoft LAPS running (i.e. Your end clients have the LAPS client software being deployed to them, then when the Apr 23 LAPS update is deployed to them and used, BOTH Systems may stop working. To fix this you need to disable Legacy LAPS by setting the following registry key on your clients.

[box]

HKLM > Software > Microsoft > Windows > CurrentVersion > LAPS > Config

[/box]

Create a new 32 bit DWORD value called BackupDirectory and set its value to 0 (zero).

Once the Azure AD element is fully released and supported, I’ll loop back and include that also.

Related Articles, References, Credits, or External Links

Microsoft LAPS – Deployment and Configuration

MS: What is Windows LAPS Overview

How Many Users in AD? (User Count)

KB ID 0001748

Problem

I had to get some stats from a number of customers earlier today, one of the stats I needed was the  user count from within their respective Active Directories. If you have a tedious job to do, there’s usually a PowerShell command to help!

Getting Object Numbers From Active Directory

User Count

[box]

(Get-ADUser -Filter *).Count

[/box]

Computer Count

[box]

(Get-ADComputer -Filter *).Count

[/box]

Group Count

[box]

(Get-ADGroup -Filter *).Count

[/box]

Enabled or Disabled User Count

That’s all fine, but what if you needed to only see enabled or disabled users?

[box]

(Get-AdUser -filter ‘Enabled -eq $true’).count
(Get-AdUser -filter ‘Enabled -eq $false’).count

[/box]

Group User Count

Or only users in a particular group?

[box]

(Get-ADGroup GS-VPN-Users -Properties *).Member.Count

[/box]

OU User Count

Or only users in a particular OU?

[box]

(Get-ADUser -Filter * -SearchBase “OU=Users, OU=PNL,DC=pnl,DC=com”).Count

[/box]

Related Articles, References, Credits, or External Links

NA

O365 with Duo MFA (Without a P1 License?)

KB ID 0001737

Problem

Working for a cloud service provider, (and a Duo partner). I get a lot of queries about Duo MFA for Office 365. Typically (I think) the best solution is to enable Azure Conditional Access and couple that with Trusted sites, so clients get challenged when out on the road, but not in the office. The drawback of this is Azure Conditional Access requires a P1 License, at time of writing that’s about $6 a month on top of you normal 365 licence. So it can work out expensive.

A couple of weeks ago, I was on a call with a client who wanted to use Duo Access Gateway to provide Duo MFA to their 365 tenancy. I’ve done the same thing for other clients with ADFS before, Basically you are just Federating a DAG into your Azure AD, rather than Federating an ADFS Server

This is what it looks like;

Duo MFA: DAG & Office 365 Pre-Requisites

  • Azure AD Sync needs to be setup, and a registered domain setup in your office 365 tenancy. (NOT the onmicrosoft domain!)
  • You need (at least) Duo MFA licensing to deploy. One level above free ($30 for a year).
  • DAG Server 2 x CPU, 4GB RAM, 60Gb HDD (Windows Server 2012 or newer (2019 supported) Note: You can also deploy DAG on Linux.
  • DAG Server should be in a DMZ, (not domain joined).
  • DAG Server needs IIS role installing.
  • DAG Server needs TCP Port 443 open (outbound) to Duo.
  • DAG Server needs TCP Port 443 open (Inbound) to Duo on the public IP address that your public DNS record is pointing to.
  • Download PHP (in Zip file format) Keep the Zip file handy.
  • Install a publicly signed SSL certificate (Common name or SAN must match the public DNS name). 

Note: Duo have great walkthroughs and videos on their site, this article is just to tie the various steps together.

Installing Duo MFA DAG

To setup IIS just use the following Powershell commands

[box]

import-module servermanager
add-windowsfeature Web-Server, Web-Mgmt-Tools, Web-CGI, NET-Framework-Core, Web-Asp-Net45, Web-Scripting-Tools

[/box]

Install and Bind a Publicly Signed Certificate: Let’s do this for free with Let’s Encrypt! See the following article.

Free Certificate for IIS with Let’s Encrypt

Download the newest version of PHP in zip format. and drop it on your desktop, then run the Duo Windows installer. You may be prompted to install the C++Runtime software (which may require a reboot). Post reboot the installer will launch.

Browse to and select the PHP Zip file > Next > Select the correct server hostname (if it’s not listed, then you need to enter it in the ‘hostname’ section of the https binding in IIS manager > Next > If you want to manage the DAG from any other IP addresses enter them > Next > Install.

When done  launch the ‘Configure’ page > Create an access password > Submit.

Configure Duo DAG Active Directory LDAPS Access

In the next step we need a copy of your CA Certificate (the CA that issued your domain controller(s) kerberos certificates). If you have just glazed over have a read of the following article;

Get Ready for LDAPS Channel Binding

From the DAG console > Authentication Source > Configure Sources > Select Active Directory* > Enter the FQDN of a domain controller, (the DMZ server needs to be able to resolve this I suggest putting it in the server hosts file).  > Port will be 636 (LDAPS) > Select LDAPS > Scroll down.

*You cant use Azure as a authentication source for Office365 MFA, (counter intuitively!)

Browse to and select the CA certificate you downloaded above > Set the attributes to “mail,sAMAccountName,userPrincipalName,objectGUID” > Search Base (I’m setting it to the top of my active directory e.g. ‘DC=pnl,DC=com’ > Search Attributes (I’ve set the same as the attributes above) > Search Username, set to a normal domain user account, (I’ve set-up a service account that’s just a member of ‘domain  users’ > Scroll down  > Type in the users password > Save Settings.

What should happen is, it should say LDAP Bind Successful, if it does not;

  • Make sure TCP Port 636 is open from the DMZ server to the Domain Controller(s)
  • Make sure you used the domain controller FQDN NOT its IP address, (the IP address is NOT on the Kerberos certificate).
  • Install the Remote Server Admin tools for ADDS – this will give you access to LDP exe which you can test LDAPS connectivity with (I’ve written about LDP before, use the search box above).

When happy, ensure Active Directory is set as the Active Source.

Federate Duo DAG With Azure Active Directory

Within the Duo DAG management console > Applications > Metadata > Download the Certificate  > Copy all the URLS to a notepad file.

 Copy the notepad file, and the certificate, to a domain joined server/PC that has the the Azure Active Directory Module for Powershell installed.

Execute the following commands, (change the values in RED to match your own);

[box]

Connect-MsolService
Log into your Tenancy, when prompted

get-msoldomain -domain your-domain-name.com

Make sure it says 'Managed' and NOT 'Federated'!
$dom = "your-domain-name.com"
$url = "https://portal.petenetlive.co.uk/dag/saml2/idp/SSOService.php"
$uri = "https://portal.petenetlive.co.uk/dag/saml2/idp/metadata.php"
$logoutUrl = "https://portal.petenetlive.co.uk/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://portal.petenetlive.co.uk/dag/module.php/duosecurity/logout.php"
$cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\dag.crt")
$certData = [system.convert]::tobase64string($cert.rawdata)
Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -ActiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData

get-msoldomain -domain your-domain-name.com
NOW it should say 'Federated'!

[/box]

Duo MFA Protect Office 365

Log into your Duo online admin console > Protect an application > Locate Office 365 (2FA with SSO self hosted) > Protect.

Unless ALL your mail clients* support modern authentication then tick “Allow legacy mail clients that only support basic auth to bypass 2FA” 

*Modern Authentication Supported on: Outlook 2013 (or newer), older Android mail clients don’t, though on modern versions of Android that you can install MS Outlook on does. Modern Apple IOS devices support modern authentication.

Click ‘Save Configuration‘.

Click “Download your Configuration File” this will download a JSON configuration file, put it somewhere your Duo DAG server can get to.

Add Office 365 MFS to Duo DAG

Back on the DAG server > Applications > Browse > Select the JSON file you downloaded above.

Open a web page, and try to log into office 365, after  you’ve entered your username, you should be forwarded to your DAG for 2FA

Related Articles, References, Credits, or External Links

NA

Adding Duo 2FA to Microsoft ADFS

KB ID 0001656

Problem

I did a Duo run through a few weeks ago, and to be honest their documentation is usually pretty good. I was spinning this up as a PoC for a client so I thought I’d put my take on the procedure here.

ADFS Duo Pre-Requisites

I already have a Duo Authentication Proxy server setup and my users are enrolled, you will need to set this up first. See the following article;

Duo: ADSync and Enroll Users via SMS

Log into the the Duo Admin Portal > Applications > Protect an Application > Search for and select Microsoft ADFS > Protect This Application.

 Copy the Integration Key, Secret Key and the API hostname to notepad.

Download the Duo AD FA MFA Adapter on your ‘first‘ ADFS server. Enter the information you copied to Notepad, (above). Tick ‘Bypass Duo Authentication when offline’, and because my users are logging on with their Office 365 UPNs, I’m also ticking ‘Use UPN username format’ (SEE USERNAME NORMALISATION NOTE BELOW.)

Note: I only have one ADFS server, if you have an ADFS Server farm you will need to install each one with the SAME shared session key, you can generate one of these yourself in PowerShell with the following commands;

[box]

$bytes = new-object "System.Byte[]" 30
(new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
[Convert]::ToBase64String($bytes)

[/box]

I only have one, so I’ll simply ‘Generate new session key‘ > Finish the install wizard.

Note: If one has already been deployed, and you don’t know the key, go to the ADFS server on which it’s working, and look in the following registry key.

[box]

HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoAdfs\AKey

[/box]

USERNAME NORMALISATION: Because I’m logging users on with UPNs (first-name.last-name.domain-name.com) Back in the Duo Portal under protected applications Microsoft ADFS > Set username normalisation to ‘None” > Scroll down and save the change.

Server 2019 Only: I’m deploying on Server 2019 so I also need to execute the following Powershell command, you will need to enter YOUR API Hostname (you copied above).

[box]

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src api-xxxxxxxx.duosecurity.com"

[/box]

Launch the ADFS Management Console > Authentication Methods > Additional Authentication Methods > Edit.

Tick ‘Duo Authentication for AD FS {version}’ > Apply > OK.

Relying Party Trust > Here I have my Office 365 trust, yours may be for something else! Edit Access Control Policy.

Click ‘Use Access Control Policy’ > The one I want is ‘Permit Everyone and Require MFA for Specific Group‘. This way I can select who gets 2FA challenged, and I can migrate users slowly into this group once I know they are enrolled, (also I use the same group to Sync the users to Duo to make things simple). Change the <parameter> and locate you domain security group.

Now when the users connect to ADFS, after they logon, they are challenged to provide 2FA authentication.

like so;

Related Articles, References, Credits, or External Links

NA

Windows Group Policy – Disable The Local Windows Firewall

KB ID 0001090

Problem

I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections

[/box]

6. Set the policy to disabled.

7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).

SBS Note

An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under  ‘My Business’.

Related Articles, References, Credits, or External Links

Windows – Open a Firewall Port with Group Policy

Adding a Windows Server 2019/2016 Domain Controller

KB ID 0001262

Problem

Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background when adding a 2019 domain controller and the wizard is doing the heavy lifting for you.

Solution

2008 to 2019 Domain Controller

2008 to 2016 Domain Controller

Obviously the server needs to be a domain member first!

  • For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
  • For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.

Before You Start!

Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).

Procedure: Deploy a 2019 Domain Controller

With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’  > Manage > Add Roles and Features.

I usually tick the ‘Skip this page by default’ option > Next.

Role Based… > Next.

Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.

Select Active Directory Domain Services > Next.

Next.

Next.

Ensure ‘Restart’ is selected > Next.

Next.

Promote Windows Server To Domain Controller

Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.

Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.

Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.

This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next

If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.

Unless you want to change the default AD install locations > Next.

Next.

Read any warnings  > Install

Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.

You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).

 

Find out your Domain Schema Version

Related Articles, References, Credits, or External Links

NA

Forcing Azure AD Connect Sync

KB ID 0001590

Problem

If you are using Azure AD Connect, (AAD Connect) to sync your on-premise Active Directory with Azure AD (i.e. for Office 365), then there may be times when you need to manually ‘force a replication’ because by default it’s going to take 30 minutes between each normal ‘delta replication’

Solution

If you are directly on the server that’s running Azure AD connect, then use the following PowerShell. If you Don’t know which server is running AD connect the see the following link;

Locate Your Azure AD Connect Server

Firstly you need to add in the correct module, (you only have to do this once). Though the module should be already installed on the Sync server, let’s not tempt fate and check. (You can also use Get-Module to view installed modules).

[box]

Import-Module ADSync

[/box]

Note: If you get an error you may need to run Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”

Then to Manually Force a Synchronisation;

[box]

To Perform a FULL Sync
Start-ADSyncSyncCycle -PolicyType Initial
To Perform a (Normal) Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

[/box]

You can view the Sync settings with;

[box]

Get-ADSyncScheduler

[/box]

But I don’t like that, I prefer to watch synchronisations going on on the ‘Syntonisation Service Manager’ console, you can spot and troubleshoot errors in here also 🙂

Note: To Troubleshoot Sync errors, see the procedure I use in the following post;

Azure AD Connect: Correct Or Remove Duplicate Values

Force an Azure AD Connect Synchronisation From Another Server

Use the following syntax;

[box]

Invoke-Command -ComputerName AD-Connect-Server-Name -ScriptBlock { 
Import-Module ADSync 
Start-ADSyncSyncCycle -PolicyType Delta 
}

[/box]

Disable and Enable Azure AD Sync

[box]

Disable
Set-ADSyncScheduler -SyncCycleEnabled $False
Enable
Set-ADSyncScheduler -SyncCycleEnabled $True	

[/box]

Related Articles, References, Credits, or External Links

Azure AD Connect: Correct Or Remove Duplicate Values

AAD Contains Another Object With The Same DN

Azure AD Connect: Correct Or Remove Duplicate Values

KB ID 0001588

Problem

I was doing some work for a School recently, their staff were already using Office 365 and their tenancy was all setup. Now they wanted to roll Office 365 out to the pupils, and sync to their on premises Active Directory.

Now we could have simply excluded the staff from the Azure AD Connect Sync, but they want to manage their passwords etc. on-premises. Microsoft will tell you if you DON’T have an on-premises Exchange (they didn’t), then you simply need to enter the correct email address on the user object and the correct accounts will match up and sync, however they did not, this happened instead;

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:username@domain-name.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: 2b68528a-695a-4c5e-9b4f-7ec471e5f38c
ExtraErrorDetails:
[{“Key”:”ObjectId”,”Value”:[“6ef8d8d0-2893-4d46-83e3-bf819ea607d2”]},{“Key”:”ObjectIdInConflict”,”Value”:[“56a72044-de5b-43ce-82b1-edb82c80395e”]},{“Key”:”AttributeConflictName”,”Value”:[“ProxyAddresses”]},{“Key”:”AttributeConflictValues”,”Value”:[“SMTP:username@domain-name.com“]}]

OK, I’ve worked A LOT with Exchange and I know that ProxyAddress and Email address are related, but not the same AD attribute. But changing that didn’t fix the problem either?

Solution

Well we are syncing on-premises Active Directory and Azure Active Directory, and we DON’T want to change anything on site. So logically wherever the ‘fix’ is, it will be in Azure. (If you only ever use the Office 365 portal then buckle up)

Within Office 365 Admin > Admin Centers > Azure Active Directory.

Welcome to Azure! > Azure Active Directory > Azure AD Connect > Connect Health.

Sync errors.

Duplicate Attribute.

Select the affected user(s) > Troubleshoot.

Double check it is the same user! (If you get this wrong all manner of carnage will unfold!) Yes > Apply Fix > Confirm.

Now wait for a directory replication, (or force one manually with PowerShell). The errors should now cease.

Related Articles, References, Credits, or External Links

AAD Contains Another Object With The Same DN