Most likely the answer is, contact support, but that could flood support depending on the size of the environment, legacy application use, and number of users.
This exact situation led to the development of a new self-help tool called LAPS Web UI. The tool allows users to request the Local Administrator password for any computer they are authorized for and then sets the password to expire in a configured number of hours. LAPS Web UI only requires an internal web-server capable of .NET Core 2.1, access to on-prem AD, and of course a working implementation of Microsoft LAPS.
User Flow
1. Authentication
User navigates to the published URL and logs in using their Azure AD credentials, including MFA if enabled. This URL can be internal or external using Azure App Proxies.
2. Select Computer
A list of authorized computers is presented to the user. The user is only ever able to retrieve the password for a machine in this list.
3. Copy Password
The final step for the user is the displaying of the current LAPS password. This password can then be used to perform whatever operation is required on the machine.
Backend
LAPS Web UI does not require any ‘out of the norm’ modifications to a standard Microsoft LAPS installation. The entirety of operations that LAPS Web UI performs is within the normal operating procedures for LAPS.
Authorized Computers
The list of Authorized Computers that is presented to a user can be defined in a number of configurable ways.
SQL Provider
The SQL Provider allows a query to be defined using the identity of the user as a lookup and providing a list of computers in return. This method is currently used to pull the Device Affinity information from the System Center Configuration Manager database.
XML Mapping Provider
The XML Mapping Provider allows an XML structured file to be used that defines User –> Computers relationships. This file could be generated using Powershell for example.
LAPS Operations
Password Retrieval is completed by reading the ms-Mcs-AdmPwd
attribute in Active Directory.
Password Expiration is set by modifying the ms-Mcs-AdmPwdExpirationTime
attribute to expire at time of retrieval + configured hours. This will force LAPS to expire the password using it’s own internal process just as before.
LAPS Web UI is currently in Active development. Does this solution sound interesting to you? Do you have a feature you’d like to see? Contact me and let me know.