Question
I would like to use Microsoft LAPS and found an older guide describing how to use LAPS with Univention Corporate Server (UCS):
https://help.univention.com/t/using-laps-in-ucs-for-windows-local-administrator-passwords/7519/10
Can this guide still be used with UCS 5, and will I still receive support from Univention if I follow this approach?
Answer
In general, Microsoft LAPS can still be used with UCS 5. The required changes on the UCS side are limited to adjusting specific UCR variables. The core of the LAPS functionality is implemented on the Microsoft side by extending the Active Directory schema. On the UCS side, it is only necessary to ensure that the schema update is allowed and correctly replicated.
To allow the schema update, the following command must be executed on the UCS system that holds the FSMO role Schema Master:
ucr set samba4/schema/update/allowed=yes && /etc/init.d/samba restart
You can verify which system holds the Schema Master role with:
samba-tool fsmo show | grep SchemaMasterRole
After the schema update has been completed successfully, the UCR variable should be reset again:
ucr unset samba4/schema/update/allowed && /etc/init.d/samba restart
Since UCS 5, the variable samba/acl_search no longer needs to be set explicitly. When unset, it already defaults to yes.
It is also worth noting that LAPS 2.0 has been released. One of its key new features is support for encrypted credentials. With the legacy LAPS implementation, credentials are stored in plain text, as also pointed out in the referenced forum discussion.
Additional information about LAPS 2.0 can be found here:
- https://administrator.de/knowledge/windows-laps-laps-2-0-veroeffentlicht-6738721217.html
- https://blog.xpnsec.com/lapsv2-internals/
From Univention’s perspective, the LAPS functionality itself cannot be supported, as it is a Microsoft-developed feature. Therefore, direct support for LAPS behavior or functionality is limited. However, the Active Directory schema required for LAPS must replicate correctly to UCS. If issues occur during schema replication or schema integration on the UCS side, Univention can provide detailed assistance.
As with the legacy LAPS implementation, no guarantees can be given for the functionality of LAPS 2.0 in UCS environments. Currently, Univention does not offer an alternative solution to Microsoft LAPS.