jborean93.win_laps

Panoramica Versioni Approfondimenti

Ansible Role win_laps

Build Status win_openssh Ansible Galaxy Role

This role installs and sets up the Local Administrator Password Solution (LAPS) application on Windows servers.

What You Can Do

  • Install necessary server components and set up the required Active Directory (AD) schema and permissions.
  • Create a Group Policy Object (GPO) to automatically push LAPS settings to client computers.
  • Install client components on Windows machines.

This role is mainly for testing LAPS integration in a domain setup. You can use it in real environments, but please test it thoroughly before using it in production.

Requirements

  • Windows Server 2012 R2 or later

Note: This role has been tested on Windows Server 2016. Other versions might work but are not guaranteed.

Server Side Component Requirements

To install server components, you will need:

  • Access as a user in the Schema Admin group, or specify such a user using the opt_laps_domain_username or opt_laps_domain_password variables.
  • Be connected to a domain controller as an admin.

GPO Configuration Requirements

To configure GPO policies, connect as a user who has permissions to create and link new GPOs to organizational units.

Client Side Component Requirements

You need to be an admin on the host to install client components.

Variables

Mandatory Variables

When opt_laps_install_server or opt_laps_configure_gpo is set to True, you must provide:

  • man_laps_ou_containers: A list of organizational units (OUs) to configure with LAPS. This will set permissions in AD and link the new LAPS GPO if needed. The values should be the full distinguished name of the OU, e.g., OU=Workstations,DC=domain,DC=local.

Optional Variables

Here are some optional configurations:

  • opt_laps_admin_account: Change the admin account name managed by LAPS (defaults to BUILTIN\Administrator).
  • opt_laps_configure_gpo: If True, creates a GPO for LAPS configuration and links it to man_laps_ou_containers (default: False).
  • opt_laps_install_client: If True, installs the client components (default: False).
  • opt_laps_install_powershell: If True, installs the LAPS PowerShell module AdmPwd.PS (default: False).
  • opt_laps_install_server: If True, installs and configures server components and AD settings (default: False).
  • opt_laps_install_ui: If True, installs the LAPS UI application (default: False).
  • opt_laps_install_source: The path or URL of the LAPS installer (defaults to Microsoft's download link).
  • opt_laps_product_id: Unique product ID for the installer used for idempotency checks.
  • opt_laps_skip_reboot: If True, does not reboot the host even if required. It will set out_laps_reboot_required if skipped (default: False).

Output Variables

  • out_laps_reboot_required: Set to True if opt_laps_skip_reboot is True and a reboot was needed.

Role Dependencies

None.

Example Playbooks

Here are some sample playbooks:

- name: Install the LAPS client with UI
  hosts: windows
  gather_facts: no
  roles:
  - role: jborean93.win_laps
    opt_laps_install_client: True
    opt_laps_install_ui: True

- name: Install the LAPS server and configure it for 1 OU
  hosts: windows
  gather_facts: no
  roles:
  - role: jborean93.win_laps
    man_laps_ou_containers:
    - OU=Workstations,DC=domain,DC=local
    - OU=Accounting,DC=domain,DC=local
    opt_laps_install_server: True

- name: Install the LAPS server and create a GPO
  hosts: windows
  gather_facts: no
  roles:
  - role: jborean93.win_laps
    man_laps_ou_containers:
    - OU=Workstations,DC=domain,DC=local
    opt_laps_install_server: True
    opt_laps_configure_gpo: True

Once the role has been run, the win_ad_dacl module and others will be available for use in Ansible. This module lets you control read/write access to the password and expiry attributes. By default, only domain admins or the computer account can modify these values.

To add a new user or group to the DACL, use a task like this:

- name: Add user read access to password attribute
  win_ad_dacl:
    path: OU=Workstations,DC=ansible,DC=laps
    state: present
    aces:
    - rights: ReadProperty
      inheritance_type: Descendents
      inherited_object_type: Computer
      object_type: ms-Mcs-AdmPwd
      access: allow
      account: ANSIBLE\PasswordUsers
    - rights: ReadProperty, WriteProperty
      inheritance_type: Descendents
      inherited_object_type: Computer
      object_type: ms-Mcs-AdmPwdExpirationTime
      access: allow
      account: ANSIBLE\ExpiryUsers

Check library/win_ad_dacl.py for more details.

Remember, the modules in library may change in future releases. Always review the changelog for updates before upgrading.

Testing

This role requires a domain setup and two different hosts. Setting this up in a free CI environment is difficult, so currently, testing is done with Vagrant locally. To test the role, follow these steps:

pip install pypsrp

cd tests
vagrant up
ansible-playbook -i inventory.ini main.yml -vvv

These steps may take some time depending on whether the Vagrant boxes need to be downloaded. The current tests install server components on the domain controller and client components on another server and ensure that we can retrieve the password.

Backlog

  • Add an optional parameter for controlling the SACL (auditing) for each AD attribute. Feature requests are welcome!
Informazioni sul progetto

Install LAPS on a Windows host

role authentication security system windows
Installa
ansible-galaxy install jborean93.win_laps
GitHub repository
12 stelle
7 fork
2 problemi aperti
Licenza
mit
Download
1.4k
Proprietario