Here we will discuss a common concern about LAPS as many customers noticed that people who join the computers to the domain can retrieve the LAPS password although they are not given the Permission to do so and because some organizations allow normal users to join their machines to the domain this consider a security risk for them , so lets answer two question here :
Why this happens ?
This happen because by default the joiner of the computer has creator owner privilege by default and this privilege give him a set of permissions that were defined by defaultSecurityDescriptor on the computer class in schema , the defaultSecurityDescriptor define the default security permission over the objects , for more information about it check this please https://docs.microsoft.com/en-us/windows/win32/ad/default-security-descriptor
So how we can check the defaultSecurityDescriptor for the computer class ? ,
1-Open ADSIedit , connect to schema Partition
2-Right click on CN=Computer , choose Properties , the Attribute Editor , look for defaultSecurityDescriptor ,
3-As you can see its in Security Descriptor Definition Language (SDDL) Format , so to be able to put it in human readable format , we run the following PowerShell commands
$defaultSD=”D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)(A;;RPLCLORC;;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(A;;CCDC;;;PS)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;CO)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)(OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)”
$sec=New-Object System.DirectoryServices.ActiveDirectorySecurity
$sec.SetSecurityDescriptorSddlForm($defaultSD)
$acc=New-Object System.Security.Principal.NTAccount(“CREATOR OWNER”)
$sec.GetAccessRules($true,$false,[System.Security.Principal.NTAccount]) | Where-Object {$_.IdentityReference -eq $acc}
4-So if we check the output we will see here that the creator owner has this Extended Rights Permission , which allow him to read the confidential attributes
So this Explain why Computer joiners can retrieve the LAPS Password as they by default has creator owner privilaege which has extended right permission that allow them to read confidential attributes of the computer account they joined .
How we can Fix this ?
Actually we have two solution here :
1.First Solution:
Allow only dedicated service accounts for computer joining that is trusted to retrieve LAPS Password or using tools like SCCM to deploy OS and Join to the domain ,
Challenge :
some issues like broken secure channel need the computer to be rejoined to the domain so in such case its not practical do to OSD deployment as it will take time also this machines of course has user profile and data , but if we dedicated service account for domain joining we can use it instead but maybe this will be too much work on the helpdesk specially if its small team .
2. Second Solution:
which actually i prefer because it has no limitation is that we remove the Extended right from the creator owner permission by updating defaultSecurityDescriptor specially the user will still be able to join the computer to the domain but he will not be able to read LAPS Password 
.so to adjust the defaultSecurityDescriptor and remove Extnded right permission from the Creator owner its so simple we will just change (A;;RPCRLCLORCSDDT;;;CO) to(A;;RPLCLORCSDDT;;;CO) .
As you can see here after updating the defaultSecurityDescriptor and rerun the Powershell Commands the Extended right has gone .
Challenge :
We have removed the extended right but the user still the owner which by default has these two Permissions
-
WRITE_DAC permission. This permission gives security principals the ability to change permissions on an object.
-
READ_CONTROL permission. This permission gives security principals the ability to read the permissions that are assigned to an object.
So with WRITE_DAC Permission the user can change the ACL and elevate his privilege so to address this challenge starting from windows serer 2008 we have a new Security Principle called Owner Rights which can control and adjust the default Owner permissions so we can use it to allow the owner to only read the ACL not write by adding the Owner Rights security principal to objects and specify what permissions are given to the owner of an object .
So how we do this , i simulate it on my lab i have user called DomainJoin that i gave him Prmission to join Machines , now I will try to remove the WRITE_DAC permission and allow him only to read the ACL .
- Before Applying the Write Owner Permission , he had the following privileges as you see the highlighted part he is able to modify permissions which i need to remove .
- Now I will go to the OU of the joined computers right click Priorities , Security , then add the Owner rights and give it only read access .
- choose advanced then adjust the permissions for the owner rights as needed, and make sure it apply to “this object and all descendant objects”
- Now lets check again the DomainJoin User effective access , he is no longer able to modify permission
so now you have to options to Solve this LAPS Concern , either assign specific service accounts for domain join , or adjust the defaultsecuritydescriptor and owner permission and you are safe to go .
References:
https://blogs.msdn.microsoft.com/laps/2015/07/17/laps-and-permission-to-join-computer-to-domain/