ReLAPS, bringing visibility to an overlooked security necessity.

Good hook of a title right?  Here’s why I say that, LAPS (Local Admin Password Solution) has been around for several years, and I’d be willing to bet, a lot of orgs haven’t implemented it yet (total guess here, no actual data, other than my twitter survey shown below).  Good news, many have, as I had at a previous employer.  It’s simple to setup, and greatly reduces a previously easily exploitable attach vector.  LAPS … mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers . -Microsoft

LAPS Twitter Survey

So there you have it, you have it setup, if not, see previous post, now you move on with your operational duties and focus on what fire your manager throws at you today.  Why is that?  Who seriously did client health for LAPS once it was setup?  Who confirmed it was working on all end points?  I certainly didn’t, I had “bigger fish to fry”.  But as with any implementation, you need to check up on it from time to time.  This shouldn’t be a surprise, you do this with the ConfigMgr Client, you monitor Client health, perhaps even implemented auto remediation scripts.  You probably monitor your AV / Anti-Malware system, IDS, Disk Encryption, etc.  So why not LAPS?  

So the team at Recast Software created a nifty dashboard for you to monitor your LAPS “health”. This is included in the Enterprise version of the Right Click Tools.  Here is an image from their Documentation, has a bit more date than my little lab:

ReLAPS Security Tools screenshot

Why I like this is because I’m already in the CM Console every day, to have a dashboard for LAPS, to keep it visible and at the front of our minds, I find this highly useful.  It only takes a few seconds, pull it up, check my stats, and move on.  If I find an anomaly, I can start looking into it.

What else do I like?  Glad you asked, I like that I can look up the passwords here.  No need to make a special package for my Service Desk Techs to be able to lookup passwords, they already have the CM Console, now I just grant them permissions to this feature and they now have a powerful tool for when they need to look up these passwords for their support needs.

Is that all?  Nope, I like that I can export this list to CSV file, and provide it to the Security Team / Audit Folks, who want to confirm compliance.

Get Pricing.

So how do you set this up?  I’ve got the Right Click Tools Enterprise license and setup the Recast Management Server, what are the permissions I need to allow my Service Desk to view this dashboard?  What permissions are required to allow my Service Desk the ability to view the passwords?
I’m going to go over that, building off of my last post where I setup LAPS and created AD Groups with different permissions for LAPS.  Assumptions before continuing: You have Specific AD Groups you want to grant permissions to.

First, in my Lab, I have my Service Desk Tier 1 -3 Support positions have different access to the CM Console.  I want all of them to have the ability to see the Dashboards and pull up the passwords.
In CM:

Service Desk Tier 1 -3 Support positions have different access to the ConfigMgr Console

Before I add any permissions, this is what the Dashboard would look like without the proper permissions: (Using Service Desk Tier 1 User)

Without the proper permissions

So now we know what it looks like when you don’t have rights, lets add some permissions.  In Recast Management Server, I’ve created a ReLAPS role with just permissions for the ReLAPS console.  
Testing with 3 “Rights” from the options.. getting close…

Recast Management Server create a ReLAPS role

Ok, this looks better: (Still using a Service Desk Tier 1 User)

ReLAPS account setup

So what does this look like in the Recast Management Server Console?

Recast Users - LAPS Read Only

Created a ReLAPS Role with minimum requirements for ReLAPS console.

Role Permissions

Then added the LAPS Read Only Group, and assigned it to the ReLAPS Role:

Edit Role Assignments and Scope

Ok, now you can rest easy knowing your Service Desk has the ability to do the only tasks you want them to do, and no more.  Sure, you probably already granted them far more rights to use other tools already, but hey, if you find you have a need to only allow users to view that Dashboard, you will now know how.


See how Right Click Tools are changing the way systems are managed.

Immediately boost productivity with our limited, free to use, Community Edition.

Get started with Right Click Tools today:

Share this:


  • This field is for validation purposes and should be left unchanged.


  • This field is for validation purposes and should be left unchanged.

By submitting this form, you understand that Recast Software may process your data as described in the Recast Software Privacy Policy.