The conversation generally starts with, "It's not possible, we need those rights" and ends with "Ok, we will try it but who do we contact when we need Local Administrator access?".
Most likely the answer is, contact support, but that could flood support depending on the size of the environment, legacy application use, and number of users.
This exact situation led to the development of a new self-help tool called LAPS Web UI. The tool allows users to request the Local Administrator password for any computer they are authorized for and then sets the password to expire in a configured number of hours. LAPS Web UI only requires an internal web-server capable of .NET Core 2.1, access to on-prem AD, and of course a working implementation of Microsoft LAPS.
User navigates to the published URL and logs in using their Azure AD credentials, including MFA if enabled. This URL can be internal or external using Azure App Proxies.
2. Select Computer
A list of authorized computers is presented to the user. The user is only ever able to retrieve the password for a machine in this list.
3. Copy Password
The final step for the user is the displaying of the current LAPS password. This password can then be used to perform whatever operation is required on the machine.
LAPS Web UI does not require any 'out of the norm' modifications to a standard Microsoft LAPS installation. The entirety of operations that LAPS Web UI performs is within the normal operating procedures for LAPS.
The list of Authorized Computers that is presented to a user can be defined in a number of configurable ways.
The SQL Provider allows a query to be defined using the identity of the user as a lookup and providing a list of computers in return. This method is currently used to pull the Device Affinity information from the System Center Configuration Manager database.
XML Mapping Provider
The XML Mapping Provider allows an XML structured file to be used that defines User --> Computers relationships. This file could be generated using Powershell for example.
Password Retrieval is completed by reading the
ms-Mcs-AdmPwd attribute in Active Directory.
Password Expiration is set by modifying the
ms-Mcs-AdmPwdExpirationTime attribute to expire at time of retrieval + configured hours. This will force LAPS to expire the password using it's own internal process just as before.
LAPS Web UI is currently in Active development. Does this solution sound interesting to you? Do you have a feature you'd like to see? Contact me and let me know.