Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v1.0
v1.0
  • Home
  • How does Access Manager help prevent lateral movement
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Downloads
    • Creating a service account for the Access Manager service
    • Choosing between the Microsoft and Lithnet agents for LAPS support
    • Installing Access Manager
      • Access Manager Agent
      • Access Manager Service
  • Configuration
    • Setting up Authentication
      • Setting up smart card authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
    • Deploying features
      • Setting up Microsoft LAPS
      • Setting up Bitlocker access
      • Setting up Just-in-Time access
      • Setting up password encryption and history
      • Installing in a Failover Cluster
      • Integrated Windows authentication
    • Importing authorization rules
      • Importing BitLocker permissions
      • Importing local administrators group membership
      • Importing Microsoft LAPS permissions
      • Importing mappings from a CSV file
      • Importing rules from Lithnet LAPS web app
  • Help & Support
    • Frequently asked Questions
    • Troubleshooting
    • Getting Support
  • Advanced help
    • Advanced help topics
      • Access evaluation in Access Manager Service (AMS)
      • Performing an offline discovery of local admins
      • Script-based authorization
      • Backing up Access Manager
      • Recovering from a lost encryption certificate private key
    • Application help pages
      • Active Directory
      • Audit variables
      • Auditing Page
      • Auditing scripts
      • Authentication Provider
      • Authorization Page
      • BitLocker Page
      • Effective Access Page
      • SMTP Server Settings
      • High Availability Page
      • Proxy Settings
      • Jit Access Page
      • Licensing-Page
      • Local Admin Passwords Page
      • Rate Limits Page
      • User Interface Page
      • Web Hosting Page
Powered by GitBook
On this page

Was this helpful?

  1. Advanced help
  2. Advanced help topics

Recovering from a lost encryption certificate private key

PreviousBacking up Access ManagerNextApplication help pages

Last updated 2 years ago

Was this helpful?

If you loose access to the encryption certificate's private key, any current and historical passwords encrypted with that key are not recoverable. This is why backups are so important.

In order to restore local admin password access to your environment, you need to publish a new key, and force the agents to generate a new password and encrypt it with that key.

Recovery steps

Step 1: Generate a new certificate

From the Access Manager Service configuration tool, visit the [[local admin passwords page]], select the forest you need to recover from the drop-down list, and click Generate new....

Step 2: Backup the new certificate

Once the certificate has been generated, click View certificate... and on the Details tab, select Copy to file... to backup this key. Make sure you select the option to export the private key. Choose a strong password, and keep this file safe, preferably in an offline location.

Step 3: Publish the new certificate

Once you've secured you backup key, click Publish to generate a new script to publish this certificate to AD. Run the script as a domain admin of the root forest.

Step 4: Force expire all computer passwords

In order to force clients to immediately generate a new password, we must set the lithnetPasswordExpiry attribute on each computer to 0.

You can use the following script to do this. Set the $ou variable to the DN of the container where the computers are located, or leave it as-is to expire the password of all computers in the domain.

# Set the OU variable to the DN of the container containing the computers that need their passwords reset, or leave it blank to reset all computers in the domain
$ou = ""

if ($ou -eq "")
{
    $ou = (Get-ADDomain).DistinguishedName
}

$InformationPreference = "Continue"

Get-ADComputer -SearchBase $ou -SearchScope Subtree -Properties DistinguishedName -LDAPFilter "(objectCategory=computer)" | % {
    $_ | Set-AdComputer -Replace @{lithnetAdminPasswordExpiry=0}
    Write-Information "Expired password on computer $($_.Name)"       
 }

When the agent next runs (by default this is every 60 minutes) it will detect that it's password has been expired, and generate a new password, and encrypt it using the newly published certificate in the directory.

If you are using the password history feature, those previously used passwords can no longer be decrypted. You should delete them from the directory using the following script to avoid users being presented with Password could not be decrypted warnings in the web UI.

# Set the OU variable to the DN of the container containing the computers that need their password history cleared, or leave it blank to clear the history from all computers in the domain
$ou = ""

if ($ou -eq "")
{
    $ou = (Get-ADDomain).DistinguishedName
}

$InformationPreference = "Continue"

Get-ADComputer -SearchBase $ou -SearchScope Subtree -Properties DistinguishedName -LDAPFilter "(objectCategory=computer)" | % {
    $_ | Set-AdComputer -Clear "lithnetAdminPasswordHistory"
    Write-Information "Cleared password history for computer $($_.Name)"       
 }