Op 12-04-2023 om 10:17 schreef Rowland Penny via samba:> > > On 12/04/2023 09:12, Kees van Vloten via samba wrote: >> >> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba: >>> >>> >>> On 12/04/2023 08:51, Kees van Vloten via samba wrote: >>>> >>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba: >>>>> Hello everybody >>>>> >>>>> >>>>> does/will samba AD support t LAPS GPO ? >>>>> >>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview >>>>> >>>>> >>>>> >>>>> As far as I understand, this requires schema extension >>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >>>> >>>> >>>> >>>> Here's a good description of what to do: >>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad >>>> >>>> >>>> >>>> - Kees. >>>> >>>> >>> >>> Let me say at the start, I do not use LAPS, but isn't the TranquilIT >>> page about using the legacy version and there appears to be a new >>> kid in town ? >>> >>> Rowland >> >> I think that is SRP, which is described in the same document. >> >> - Kees. >> >> >> > > Not sure you are correct there, 'legacy' uses 2 attributes, the new > one uses 7, see here: > > https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference > > > Rowland >Correct, it looks like MS also changed the LAPS implementation...
The least you can and according to the MS documents should do, is to remove the LAPS Group Policy Client Side Extension, see https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-legacy I have done that and as expected the new Windows LAPS takes over running in the described Legacy mode. Also the passwords will be changed correctly according to your legacy LAPS GPO. As already said for the new one a schema extension is needed, but now it is done by a Powershell commandlet, which needed the active directory web services on a domain controller. The question would be how to get this extensions in a LDIF format, I think. Regards Ingo https://github.com/WAdama Kees van Vloten via samba schrieb am 12.04.2023 um 10:21:> > Op 12-04-2023 om 10:17 schreef Rowland Penny via samba: >> >> >> On 12/04/2023 09:12, Kees van Vloten via samba wrote: >>> >>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba: >>>> >>>> >>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote: >>>>> >>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba: >>>>>> Hello everybody >>>>>> >>>>>> >>>>>> does/will samba AD support t LAPS GPO ? >>>>>> >>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview >>>>>> >>>>>> >>>>>> >>>>>> As far as I understand, this requires schema extension >>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >>>>> >>>>> >>>>> >>>>> Here's a good description of what to do: >>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad >>>>> >>>>> >>>>> >>>>> - Kees. >>>>> >>>>> >>>> >>>> Let me say at the start, I do not use LAPS, but isn't the >>>> TranquilIT page about using the legacy version and there appears to >>>> be a new kid in town ? >>>> >>>> Rowland >>> >>> I think that is SRP, which is described in the same document. >>> >>> - Kees. >>> >>> >>> >> >> Not sure you are correct there, 'legacy' uses 2 attributes, the new >> one uses 7, see here: >> >> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >> >> >> Rowland >> > Correct, it looks like MS also changed the LAPS implementation... > > >
so it looks that 2016 domain functional level is required for this... Le 12/04/2023 ? 10:21, Kees van Vloten via samba a ?crit?:> > Op 12-04-2023 om 10:17 schreef Rowland Penny via samba: >> >> >> On 12/04/2023 09:12, Kees van Vloten via samba wrote: >>> >>> Op 12-04-2023 om 09:57 schreef Rowland Penny via samba: >>>> >>>> >>>> On 12/04/2023 08:51, Kees van Vloten via samba wrote: >>>>> >>>>> Op 12-04-2023 om 09:47 schreef Arnaud FLORENT via samba: >>>>>> Hello everybody >>>>>> >>>>>> >>>>>> does/will samba AD support t LAPS GPO ? >>>>>> >>>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview >>>>>> >>>>>> >>>>>> >>>>>> As far as I understand, this requires schema extension >>>>> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >>>>> >>>>> >>>>> >>>>> Here's a good description of what to do: >>>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_laps.html#configuring-laps-for-samba-ad >>>>> >>>>> >>>>> >>>>> - Kees. >>>>> >>>>> >>>> >>>> Let me say at the start, I do not use LAPS, but isn't the >>>> TranquilIT page about using the legacy version and there appears to >>>> be a new kid in town ? >>>> >>>> Rowland >>> >>> I think that is SRP, which is described in the same document. >>> >>> - Kees. >>> >>> >>> >> >> Not sure you are correct there, 'legacy' uses 2 attributes, the new >> one uses 7, see here: >> >> https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference >> >> >> Rowland >> > Correct, it looks like MS also changed the LAPS implementation... > >i think i update the schema successfully with the 6 new attributes but unfortunately, the policy is not applied event log on windows 10 client says "LAPS password encryption is required but the Active Directory domain is not yet at 2016 domain functional level. The password was not updated and no changes will be made until this is corrected." this new implementation requires 2016 domain functional level... -- Arnaud FLORENT IRIS Technologies