Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v2.0
v2.0
  • Home
  • What's new in Access Manager v2
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
        • Installing Access Manager in a Failover Cluster
    • Installing the Access Manager Agent
      • Choosing between the Microsoft and Lithnet agents for LAPS support
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up Microsoft LAPS for Active Directory
      • Setting up Microsoft LAPS for Azure Active Directory
      • Setting up Lithnet LAPS
        • Preparing the AMS directory
        • Setting the AMS directory for Lithnet LAPS clients
        • Setting up Lithnet LAPS for Azure AD joined and registered devices
        • Setting up Lithnet LAPS for domain-joined devices
        • Setting up Lithnet LAPS for macOS and Linux
        • Setting up Lithnet LAPS for standalone Windows devices
      • Setting up BitLocker access
      • Setting up JIT for computers
      • Setting up JIT for roles
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Importing rules from the Lithnet LAPS web app
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Azure Active Directory
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
    • Advanced help topics
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
    • Application help pages
      • Access Manager Directory configuration page
      • Access Manager Directory Devices page
      • Access Manager Directory Groups page
      • Lithnet LAPS configuration page (Access Manager Directory)
      • Access Manager Directory Registration Keys page
      • Lithnet LAPS configuration page (Active Directory)
      • Microsoft LAPS configuration page
      • Active Directory configuration page
      • Auditing page
      • Authentication configuration page
      • Computer authorization rules page
      • Role authorization rules page
      • Azure Active Directory configuration page
      • BitLocker configuration page
      • Database configuration page
      • Effective access page
      • Email configuration page
      • IP Address detection configuration page
      • Just-in-time access configuration page
      • Licensing configuration page
      • Rate limit configuration page
      • Host configuration page
      • User interface configuration page
      • Security page
    • Getting Support
Powered by GitBook
On this page
  • Create a report collection share
  • Download the data collection scripts
  • Create a group policy
  • Merging the files
  • Import into Access Manager

Was this helpful?

  1. Configuration
  2. Importing authorization rules

Performing an offline discovery of local admins

PreviousImporting rules from the Lithnet LAPS web appNextFrequently asked Questions

Last updated 2 years ago

Was this helpful?

While Access Manager provides the ability to import local administrators from computers by querying them remotely, network accessibility and permissions issues may prevent this method from working across an entire domain.

In this scenario, we can use a script, combined with group policy or another deployment tool to query the administrators group locally on each computer, and save the results to a file share. Once all the computers have uploaded their files, they can then be merged into a single CSV file that can be imported into Access Manager using the CSV import function.

This guide will focus on using the group policy method for deploying this script. If you have another deployment tool such as SCCM, then feel free to use that instead.

Create a report collection share

You'll need a central location for the servers to save their CSV files to. This share needs to be accessible by all servers that you are auditing.

The script automatically creates a share, with the correct permissions to allow domain computers to create and update their CSV file.

Download the script, open a PowerShell command window, and run the following command

.\New-LocalAdminReportShare.ps1 -Path "C:\local-admin-reports" -ShareName "local-admin-reports"

We'll use the folder and share name local-admin-reports throughout this guide. If you change the name of the share, take note to replace it where it is mentioned throughout this guide.

Note, as the data contained from these reports will eventually be uploaded into Access Manager, you need to minimize access to the share, to limit the ability for a malicious actor to add unexpected authorization entries. The provided scripts minimize the risks by implementing tight security controls around the data that is gathered, but you should still check and validate that the rules created match the permissions you expect to see.

Download the data collection scripts

Download the Get-LocalAdmins.ps1 and run.bat files from the and save them to C:\local-admin-reports\scripts. This script folder was created by the New-LocalAdminReportShare.ps1 script and has been configured with the permissions required to allow computers to read the scripts from this specific location.

Create a group policy

  1. Create a new group policy, and link it to the OU containing the computers you want to audit

  2. Navigate to Computer Configuration ⇾ Preferences ⇾ Control Panel Settings ⇾ Scheduled Tasks

  3. Right click and select New ⇾ Scheduled Task (At least Windows 7)

  4. Configure the following settings on the General tab:

Setting
Value

Action

Update

Name

Get-LocalAdmins

Account

SYSTEM

Run mode

Run whether user is logged on or not

Run with the highest privileges

Checked

  1. On the Trigger tab:

    • Click new, and set the Being the task drop down to At task creation/modification

  1. On the Actions tab:

    • Click new

    • Set the action type to Start a program

    • In the Program/Script field, enter the path to the run.bat file (e.g. \\your-server\local-admin-reports\scripts\run.bat)

  1. Save the scheduled task

When the machines check in for their group policy update, the task will be created and will run, and you will see your report share start filling up with CSV files.

If any .error files appear, investigate the details of the error and remediate appropriately.

Merging the files

Once all of your computers have reported their local admin membership, you must validate and merge the data before you can import it into Access Manager.

.\Get-ValidatedAndMergedLocalAdminFile.ps1 -CSVPath 'c:\local-admin-reports' -OutFile 'c:\merged-results.csv'

This process will merge the individual CSV files into one master CSV file, after checking for invalid entries.

The following checks are performed on each file

  1. The file owner should be the machine that created the file. If the file owner does not match the name of the file, a warning is logged, and the file is skipped.

  2. If any computer entries inside the file do not match the owner of the file, then those entries are skipped.

This is designed to protect against two specific scenarios, where a malicious user is in control of one of your machines

  1. The user tries to create an authorization file for another machine

  2. The user tries to add authorization entries to their machines file, for other machines

However, we can't protect against a malicious user who is in control of a machine adding entries to its own file, for the machine they are already in control of. This isn't considered a security risk for this discovery process, because that user is in control of the machine anyway.

If you have not used the provided script to create the file share, then these checks will likely fail. If you want to override them, then you can use the -IgnoreOwnerErrors switch to force all the entries to be imported. Ensure you carefully examine the contents of each file.

Import into Access Manager

Once you've validated and merged your data, you can now import the merged CSV file into Access Manager.

Download the script, and run it from a PowerShell command prompt with the following command line.

Follow the steps in the guide.

New-LocalAdminReportShare
New-LocalAdminReportShare.ps1
script library
Get-ValidatedAndMergedLocalAdminFile.ps1
importing mappings from a CSV file