Lightweight LAPS solution for INtune (MEM)

Managing local admin accounts using Intune has a lot of quirks, my tele-colleague Rudy Ooms has already written extensively about this. He also wrote a PowerShell solution to rotate a specific local admin’s password and had the genius idea of using Proactive Remediations (a MEM feature) to display passwords to admins, integrated / free in the Intune Console.

However, I felt I needed a more lightweight solution that;

  • does not require/modify registry keys
  • does not store the password locally
  • does not need separate detection and remediation scripts
  • automatically provisions a local admin account
  • can remove any other local admin accounts if desired
  • is language/locale-agnostic (e.g. ‘Administrators’ vs ‘Administradores’….)

Thus LeanLAPS was born!

To install/use:

1. head into the Proactive Remediations section of MDE and click Create script package:

2. Fill out some details:

3. Download and doublecheck the config of LeanLAPS.ps1 (e.g. configure if other local admins should be removed, what the local admin name should be and the password length). Make sure to use NotePad++ / that the file stays UTF-8 Encoded without a BOM.

4. Set both the detection and remediation script to LeanLAPS.ps1 and run it in 64 bit:

5. Assign to a device group (user groups won’t work) and deploy. By default it will run every day, but you can also let it run more or less frequently, which determines how often the password is reset (hourly in below example):

6. Deploy, and then click on the script package:

7. Go to Device status and add both output columns:

Congratulations, you can now see the current local admin passwords for all managed Windows 10 devices!

Note: if you wish to trigger a quick remediation, delete the correct keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\SideCarPolicies\Scripts\Execution and Reports in the client’s registry, then restart the IntuneManagementExtension service and the remediation will re-run within 5 minutes.

RBAC

If you provide e.g. your helpdesk with the correct Intune roles, they will be able to see local admin passwords as reported by above solution:

Previewing image.png

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

60 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Gold
Gold
10 days ago

Thanks, Jos. This is awesome! I’m getting the following error – have updated the variable $localAdminName = “CustomAccount” New-LocalUser : A positional parameter cannot be found that accepts argument ‘True’. At C:\WINDOWS\IMECache\HealthScripts\601ec906-1ca6-4958-8678-089ca2e3217e_1\detect.ps1:53 char:19 + … ocalAdmin = New-LocalUser -PasswordNeverExpires $True -AccountNeverEx … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [New-LocalUser], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.NewLocalUserCommand C:\WINDOWS\IMECache\HealthScripts\601ec906-1ca6-4958-8678-089ca2e3217e_1\detect.ps1 : Something went wrong while processing the local administrators group Cannot validate argument on parameter ‘Member’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException… Read more »

Steven Walker
Steven Walker
10 days ago

That is very clever. I like it and see a lot of usage and need for this. Great job.

Last edited 10 days ago by Steven Walker
Peter JM
3 days ago

Hi Jos. Thanks for the post which is very useful indeed. On line 84 and 85 you use the PowerShell [ADSI] adapter to get the members of the local administrators group. When I tested the script with my regular domain account, these commands took 30-40 seconds or more to complete. Afterwards I got a friendly warning from the SOC that I had just queried the company AD for all accounts. So I would suggest using “Get-LocalGroup -SID S-1-5-32-544” and “Get-LocalGroupMember -SID S-1-5-32-544” instead. This might also solve some of the issues described in earlier comments. And yeah…we use co-management.

Vanier
Vanier
3 days ago

Solution works great. Is there a way to force an immediate password change outside of the scheduled time?

Ákos
Ákos
4 days ago

RBCA pic is just crashed/missing; how could I define a custom role for only seeing this attribute? Not having GA and even not Intune Admin role.

chris
chris
4 days ago

Great post. Is there a way to specify a local admin account to remove. I only want to remove the “administrators” account an leave all others alone.

Also it only seems to run on 1 device in the group I selected. The 1 device is the first device I setup and added the group any additional devices it doesn’t run on. Event log has no logs, other device has been rebooted and Intune sync’d multiple times.

Last edited 4 days ago by chris
Shane Lackey
Shane Lackey
5 days ago

Hello Jos,

I keep getting this in the event log.
Something went wrong while processing the local administrators group An error occurred while enumerating through a collection: Call cancelled.

Any ideas?

Zach
Zach
6 days ago

This is great! Thank you for your hard work! This is just what I need!

I’m getting an error however:

Something went wrong while processing the local administrators group Cannot bind parameter 'Member'. Cannot convert the "\\COMPUTERNAME\root\cimv2:Win32_UserAccount.Domain="COMPUTERNAME",Name="Administrator"" value of type "System.Management.ManagementObject#root\cimv2\Win32_UserAccount" to type "Microsoft.PowerShell.Commands.LocalPrincipal".
Last edited 6 days ago by Zach
Kim
Kim
6 days ago

The password showing in Intune is not working?

rohgin
rohgin
9 days ago

Hi Jos,

I can’t find the setting to change the maximum days between a password reset.

Is it just me or?

With regards,

rohgin

Håvard Pettersen
Håvard Pettersen
9 days ago

Hi and thank you for this elegant solution.
I downloaded the script today and test but get the same error as mention before;
Something went wrong while processing the local administrators group Cannot validate argument on parameter ‘Member’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

Anders
Anders
9 days ago

Awsome feature! But all I get is “Something went wrong while processing the local administrators group An error occurred while enumerating through a collection: Call cancelled .”
No further info…

Daniël Vleeshakker
Daniël Vleeshakker
10 days ago

Hi Jos,

Great, thanks for this!

I’ve tried to use the script, but it fails at my machines on creating the user when it does not exist.

The error is: Cannot validate argument on parameter ‘Member’. The argument is null or empty. Provide an argument that is not null or empty and try again.

When running the scripts manually and asking the value of $localadmin it’s empty.