Recovering from a lost encryption certificate

If you lose access to the encryption certificate's private key, any current and historical passwords encrypted with that key are not recoverable. This is why backups are so important.

In order to restore local admin password access to your environment, you need to publish a new key, and force the agents to generate a new password and encrypt it with that key.

Recovery steps for Lithnet LAPS for the Access Manager Directory

Step 1: Generate a new certificate

From the Access Manager Service configuration tool, visit the Directory Configuration/Access Manager Directory/Lithnet LAPS page click Generate new... to create a new certificate.

Step 2: Backup the new certificate

Once the certificate has been generated, click Export... to back up the certificate. Choose a strong password, and keep this file safe, preferably in an offline location.

Step 3: Publish the new certificate

Once you've secured your backup key, click Set Active to activate the new certificate.

Step 4: Expire all computer passwords

On the Directory configuration/Access Manager Directory/Devices page, select all the appropriate devices and click Expire password. Within 60 minutes, the agents that are online will generate new passwords and store them in the directory.

Unfortunately, password history is not recoverable.

Recovery steps for Lithnet LAPS for Active Directory

Step 1: Generate a new certificate

From the Access Manager Service configuration tool, visit the Directory Configuration/Active Directory/Lithnet LAPS page, select the forest you need to recover from the drop-down list, and click Generate new....

Step 2: Backup the new certificate

Once the certificate has been generated, click Export... to back up the certificate. Choose a strong password, and keep this file safe, preferably in an offline location.

Step 3: Publish the new certificate

Once you've secured your backup key, click Publish to generate a new script to publish this certificate to AD. Run the script as a domain admin of the root forest.

Step 4: Force expire all computer passwords

In order to force clients to immediately generate a new password, we must set the lithnetPasswordExpiry attribute on each computer to 0.

You can use the following script to do this. Set the $ou variable to the DN of the container where the computers are located, or leave it as-is to expire the password of all computers in the domain.

# Set the OU variable to the DN of the container containing the computers that need their passwords reset, or leave it blank to reset all computers in the domain
$ou = ""

if ($ou -eq "")
{
    $ou = (Get-ADDomain).DistinguishedName
}

$InformationPreference = "Continue"

Get-ADComputer -SearchBase $ou -SearchScope Subtree -Properties DistinguishedName -LDAPFilter "(objectCategory=computer)" | % {
    $_ | Set-AdComputer -Replace @{lithnetAdminPasswordExpiry=0}
    Write-Information "Expired password on computer $($_.Name)"       
 }

When the agent next runs (by default this is every 60 minutes) it will detect that it's password has been expired, and generate a new password, and encrypt it using the newly published certificate in the directory.

If you are using the password history feature, those previously used passwords can no longer be decrypted. You should delete them from the directory using the following script to avoid users being presented with Password could not be decrypted warnings in the web app.

# Set the OU variable to the DN of the container containing the computers that need their password history cleared, or leave it blank to clear the history from all computers in the domain
$ou = ""

if ($ou -eq "")
{
    $ou = (Get-ADDomain).DistinguishedName
}

$InformationPreference = "Continue"

Get-ADComputer -SearchBase $ou -SearchScope Subtree -Properties DistinguishedName -LDAPFilter "(objectCategory=computer)" | % {
    $_ | Set-AdComputer -Clear "lithnetAdminPasswordHistory"
    Write-Information "Cleared password history for computer $($_.Name)"       
 }