From the creator of open source AdmPwd solution comes AdmPwd.E which redefines safety.
From the creator of open source AdmPwd solution, that was later adopted by Microsoft as LAPS product, comes Admin Password Manager for Enterprise (AdmPwd.E), built on the same concept as original design: securely management of password of local administrative accounts of domain joined Windows machines (more to come soon!), integrated into Group Policy, managed by Group Policy, and storing password of managed admin account with computer account in Active Directory.
Latest version implements additional features highly asked for by customers of original solution, including:
- Maintenance of password history: Administrators can get to password that was used in the past, when needed.
- Password encryption when stored in Active Directory: It is not possible to see the passwords in clear text in Active Directory. Users who have – intentionally or by mistake – read access to attribute that stores the password, cannot get to password. Password encryption addresses concerns regarding compliance of solution with various regulations, such as PCI-DSS.
- Encryption keys are maintained by dedicated service that comes with the solution – Password Decryption Service (PDS). PDS takes care of all password read and reset requests, allowing only those users who have explicit permissions to perform desired action.
- Simple to use auditing: PDS keeps clear and simple audit trail in dedicated log for every operation performed – so no need to look into thousands of events in Security log of domain controller to find out who was reading or resetting password of admin account for particular managed machine.
- Clear security model: Solution brings own security model with clear to understand “Read admin password” and “Reset admin password” permissions – so no need to understand and delegate native Read/Write/ControlAccess permissions as in original design of LAPS.
- Support for deleted objects: Need to retrieve password from deleted computer object? Solution works directly with recycled and tombstoned computer objects for password retrieval – so no need to ask administrator to restore deleted computer account, just to read password of local administrator.
- Multi-forest support: Need to manage multiple AD forests from single console? It is possible thanks to multi-forest capability of solution.
- Increased resilliency on client side: Management agent cares more for reliability of password of managed administrative account. When someone manually changes password of managed admin account (which makes password stored in Active Directory outdated), management agent can detect this and reset password during next management cycle, keeping actual password in sync with password stored in Active Directory
- Password management of domain user account. PDS can manage password of domain user accounts. Extremely useful for management of privileged accounts: passwords change automatically and eligible users can get them just in time when need them.
Coming soon: Integration with RDP Managers! User even does not need to know password to RDP to server. Integration retrieves password automatically and sends it to RDP session
- HSM support for storage of private keys: PDS can save private keys to broad range of HSM devices via Cryptomathic Crypto Service Gateway (CSG), for maximum key protection and increase value of investment to HSM solution.
Solution is simple to deploy with Windows Installer:
- MSI package for client side, installing just management agent (with alternative install even without MSI).
- This package automatically updates LAPS clients for easy upgrade from LAPS solution.
- MSI package installing management tools and password decryption service.
Solution builds an ecosystem: we maintain developer samples on GitHub, showing:
- How to integrate with management tools to provide admin password management capability from your applications – helpdesk system, homegrown applications, or similar.
- How to implement keystore for PDS to store private keys
We also publish code samples of complete projects that show how to build additional capabilities – and some of the samples may make it into mainstream product features!
We are also planning for the future capabilities of the solution. Features that we have on roadmap include:
- Implementation of Enterprise Password Vault that will allow customers to centralize important passwords nowadays scattered in personal password managers.
- More options for storage of encryption keys – Azure Key Vault (now as sample on GitHub) or on premises HSM vaults.
- … and more …
Didn’t find capability you need? Are you interested to know more? Let us know via the form below, or write mail to support (at) admpwd.com – we are able to deliver custom implementation that covers your needs