Local Administrator Password Solution (short LAPS) will solve the issue of using an identical account on every Windows computer in a domain environment. On its own, LAPS creates a randomly generated password for a local admin account.
With RealmJoin it is possible to manage secure and individualized administrative accounts, either for local support or remote support, on a large scale. RealmJoin saves encrypted passwords in Azure Key Vault within the customer's tenant and the Azure Audit records all accesses to these passwords.
Before you can start with LAPS you have to meet the following prerequirements:
You must use Application Insights
You must have configured certain policies
We'll look at both of them below:
Application Insights has a very important role when using LAPS. The password requests triggered by LAPS are logged by Application Insights. Thus it can be tracked at any time who has made a password request and when and where this request was made.
More details can be found in our Application Insight article.
RealmJoin offers multiple policies to configure local administrator account management. These policies are described in the following table:
Policy (Key) | Value (Sample) | Description |
LocalAdminManagement.Inactive | true/false | Deactivates or activates local administrator management |
LocalAdminManagement.CheckInterval | "00:30" | Interval for configuration checks (hh:ss) |
LocalAdminManagement. [EmergencyAccount/SupportAccount].NamePattern | "ADM-{HEX:8}" | Admin name. HEX:8 stands for 8-digit random hex-code |
LocalAdminManagement.[EmergencyAccount/SupportAccount].DisplayName | "RealmJoin Local Administrator" | Display name of administrator account (appears on Windows) |
LocalAdminManagement.[EmergencyAccount/SupportAccount].PasswordCharSet | "!#%+23456789:[email protected] LMNPRSTUVWXYZabcdefghijkmn opqrstuvwxyz" | Charset of the password |
LocalAdminManagement.[EmergencyAccount/SupportAccount].PasswordLength | 20 | Password length |
LocalAdminManagement.[EmergencyAccount/SupportAccount].PasswordPreset | 1 | Predefined password templates (PasswordCharSet and PasswordLength not necessary) |
LocalAdminManagement.[EmergencyAccount/SupportAccount].MaxStaleness | 12:00 | Time after account will be removed/refreshed (when logged out after use). Format: DD.hh:MM. Not compatible with OnDemand. |
LocalAdminManagement.SupportAccount.OnDemand | true/false | Create support account on demand (account will expire after 12 hours) |
For example:
Key:
LocalAdminManagement.SupportAccount
Value:
{
"CheckInterval": "00:30",
"NamePattern": "ADM-{HEX:8}",
"DisplayName": "RealmJoin Local Administrator",
"OnDemand": true
}
It is possible to assign these policies based on user groups. For example, deactivate local administrator management for all users except a specific group:
Key | Value | Groupname |
Local.AdminManagement.Inactive | true | RealmJoin - All Users |
Local.AdminManagement.Inactive | false | CFG - RealmJoin-EnableSupportAdmin |
When a support member needs to access a secret, RealmJoin will provide an interface to get account and password credentials. When this happens, an update-secret command will be sent to the client and the admin account will be recreated.
Two different account types are available. An Emergency Administrator Account and a Support Administrator Account
This account type will be created by default and is available persistently on the device. Thus, it is possible to get administrative access even when there is no internet connection available or when facing other connection problems.
A corresponding RealmJoin policy can trigger the creation of a persistent administrator account. The following process will be passed:
Starting point: Existing or new client with RealmJoin a) Existing client (Azure AD joined, Intune managed, RealmJoin agenda installed) b) New client (initialization during OOBE, Azure AD join, Intune enrollment, installation of RealmJoin and deployed software)
RealmJoin policy triggers RealmJoin agent to create a persistent administrator account on the client.
RealmJoin agent transfers the encrypted password to the RealmJoin backend.
RealmJoin backend stores the cyphertext into a customer-owned Azure KeyVault.
A requirement for this process is a successful deployment of corresponding policy to the client.
Support staff needs local administrative rights in-field support (e. g. for troubleshooting connectivity issues). Therefore, he/she must go through the following steps:
The staff visits the RealmJoin WebUI. On the device details, he/she will see the name of the administrator account and can request the password when clicking on the dotted text.
RealmJoin pulls the password from Azure Key Vault and displays it.
The staff is now able to get elevated rights by entering this username and password in the UAC credential prompt or performing a re-login as an administrator.
When the staff has finished all tasks, he/she logs out of the account.
The previously used account will be deleted after a defined period and a new one will be generated (following to steps already described).
A support account will be generated on demand and is designed for one-time use.
A support staff can trigger the creation of a temporal administrator account. The following process will be passed:
Starting point: Existing or new client with RealmJoin a) Existing client (Azure AD joined, Intune managed, RealmJoin agent installed) b) New client (initialization during OOBE, Azure AD join, Intune enrollment, installation of RealmJoin and deployed software)
A Support staff requests a support account via RealmJoin WebUI
This triggers RealmJoin agent to create a temporal administrator account on the client.
RealmJoin agent transfers the encrypted password to the RealmJoin backend.
RealmJoin backend stores the cyphertext into customer-owned Azure KeyVault.
Requirements for this process:
Successful deployment of corresponding of the client.
The user is logged in and RealmJoin agent is running.
Internet connectivity.
The support staff visits the RealmJoin WebUI again (depends on the Configuration check interval) and follows these steps:
On the device details, he/she will see the name of the temporal administrator account. The account creation will be started when clicking on Request.
After a certain time, the credentials will appear. Click the dotted password field to request the password.
RealmJoin pulls the password from Azure Key Vault and displays it.
The staff is now able to get elevated rights by entering this username and password in the UAC credential prompt or performing a re-login as an administrator.
When the staff has finished his tasks, he/she logs out of the account.
The previously used account will be deleted after a defined period