Forum Discussion

StuartSquibb's avatar
StuartSquibb
Copper Contributor
Nov 27, 2020

Security assessment: Microsoft LAPS usage

We have had LAPS in our environment for a number of months now, but we have 2 issues with the LAPS usage assessment:

1. Duplicate device entries - we have around 100 devices with 2 or sometime 3 entries in the report.
2. Data doesn't seem up to date - we have devices reported as 'LAPS is not deployed' when the LAPS attributes were updated some weeks ago. I believe from the documentation that the LAPS assessment should run every 24 hours.

Can anyone suggest causes/fixes for these issues?

Many Thanks,

 

Stuart.

8 Replies

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Nov 29, 2020

    StuartSquibb , for the device reported as "laps is not deployed", can you check the value of the ms-Mcs-AdmPwdExpirationTime attribute? is it older than 60 days ?

  • Or Tsemah's avatar
    Or Tsemah
    Former Employee
    Nov 29, 2020

    StuartSquibb 

    Hi,

    1. Regarding the duplicated devices, can you confirm these are the same devices, not devices from other domains or that have been deleted?

     

    2. If you are certain that these specific devices are indeed LAPS deployed, please open a support ticket as this needs to be verified.

     

    Thanks!

    • StuartSquibb's avatar
      StuartSquibb
      Copper Contributor
      Nov 30, 2020

      Or Tsemah
      Having spent some time digging around in our on-prem environment, it looks as if these are objects the have been tombstoned in our AD, probably with the devices in question having been rebuilt multiple times, so this was a false alarm, sorry for wasting your time :facepalm:.

      Would it be at all possible to surface the DeviceObjectId property of devices in the downloadable versions of the LAPS reports? This would really help us in reconciling the data, as it is a common identifier between on-prem AD, Azure AD and MDI/MCAS.
       

      Once again, my apologies for the false alarm.

       

      Stuart.

      • SandyMc's avatar
        SandyMc
        Copper Contributor
        Jan 27, 2021

        @Or Tsemah

         

        Hopefully its OK that I jump on this thread.

        I have been looking at the LAPS reports this morning and wonder if its possible to get some more fields addded?

        A lot of the machines in the report are either disabled or deleted (tombstoned) in AD. I don't see any point in following them up, so it would be good if we could filter them out.

        It would also be useful to see if the machine is active or not.  Could you add lastLogonTimestamp (the replicated one) so we can see if the machine is worth following up?
        Best regards,

        Sandy

Resources