STRLCPY/GOAD

■ ■ ■ ■ ■ ■

ad/sevenkingdoms.local/data/config.json

		skipped 55 lines
56	56		"local_admin_password": "NgtI75cKV+Pu",
57	57		"domain" : "north.sevenkingdoms.local",
58	58		"path" : "DC=north,DC=sevenkingdoms,DC=local",
	59	+	"use_laps": false,
59	60		"local_groups" : {
60	61		"Administrators" : [
61	62		"north\\jeor.mormont"
		skipped 57 lines
119	120		"local_admin_password": "978i2pF43UJ-",
120	121		"domain" : "essos.local",
121	122		"path" : "DC=essos,DC=local",
	123	+	"use_laps": true,
122	124		"local_groups" : {
123	125		"Administrators" : [
124	126		"essos\\khal.drogo"
		skipped 30 lines
155	157		"netbios_name": "ESSOS",
156	158		"ca_server": "Braavos",
157	159		"trust" : "sevenkingdoms.local",
	160	+	"laps_path": "OU=Laps,DC=essos,DC=local",
158	161		"organisation_units" : {
159		-	"Workstations" : { "path" : "DC=essos,DC=local" }
160	162		},
	163	+	"laps_readers": [
	164	+	"jorah.mormont",
	165	+	"Spys"
	166	+	],
161	167		"groups" : {
162	168		"universal" : {},
163	169		"global" : {
		skipped 85 lines
249	255		"domain_password" : "NgtI75cKV+Pu",
250	256		"netbios_name": "NORTH",
251	257		"trust" : "",
	258	+	"laps_path": "OU=Laps,DC=north,DC=sevenkingdoms,DC=local",
252	259		"organisation_units" : {
253		-	"Workstations" : { "path" : "DC=north,DC=sevenkingdoms,DC=local" }
254	260		},
255	261		"groups" : {
256	262		"universal" : {},
		skipped 144 lines
401	407		"domain_password" : "8dCT-DJjgScp",
402	408		"netbios_name": "SEVENKINGDOMS",
403	409		"trust" : "essos.local",
	410	+	"laps_path": "OU=Laps,DC=sevenkingdoms,DC=local",
404	411		"organisation_units" : {
405	412		"Vale" : { "path" : "DC=sevenkingdoms,DC=local"},
406	413		"IronIslands" : { "path" : "DC=sevenkingdoms,DC=local"},
		skipped 151 lines

■ ■ ■ ■ ■ ■

ansible/ansible.cfg

1	1		[defaults]
2	2		host_key_checking = false
3	3		inventory = ./hosts
4		-
	4	+	display_skipped_hosts = false

■ ■ ■ ■ ■ ■

ansible/laps.yml

		skipped 4 lines
5	5		data_path: "../ad/{{domain_name}}/data/"
6	6		tags: 'data'
7	7
8		-	- name: configure laps
9		-	hosts: dc02
	8	+	- name: configure laps on DCs
	9	+	hosts: dc01, dc02, dc03
10	10		roles:
11		-	- { role: 'laps', move_computer: dc02 }
	11	+	- { role: 'laps/dc', tags: 'laps-dc' }
	12	+	vars:
	13	+	domain: "{{lab.hosts[dict_key].domain}}"
	14	+	laps_path: "{{lab.domains[domain].laps_path}}"
	15	+	hosts_dict: "{{lab.hosts}}"
12	16
13		-	- name: configure laps
14		-	hosts: dc03
	17	+	- name: configure laps on servers
	18	+	hosts: srv02,srv03
15	19		roles:
16		-	- { role: 'laps', move_computer: dc03 }
	20	+	- { role: 'laps/server', tags: 'laps-server'}
	21	+	vars:
	22	+	domain: "{{lab.hosts[dict_key].domain}}"
	23	+	laps_path: "{{lab.domains[domain].laps_path}}"
	24	+	use_laps: "{{lab.hosts[dict_key].use_laps if lab.hosts[dict_key].use_laps is defined else false}}"
17	25
18		-	- name: configure laps
	26	+	- name: verify and show laps passwords
19	27		hosts: dc01, dc02, dc03
20	28		roles:
21		-	- { role: 'laps', prep_servers: True }
22		-
23		-	- name: configure laps
24		-	hosts: dc02
25		-	roles:
26		-	- { role: 'laps', apply_dacl: dc02 }
	29	+	- { role: 'laps/verify', tags: 'laps-verify' }
	30	+	vars:
	31	+	domain: "{{lab.hosts[dict_key].domain}}"
	32	+	laps_path: "{{lab.domains[domain].laps_path}}"
	33	+	hosts_dict: "{{lab.hosts}}"
27	34
28		-	- name: configure laps
29		-	hosts: dc03
30		-	roles:
31		-	- { role: 'laps', apply_dacl: dc03 }
32		-
33		-	- name: configure laps
	35	+	- name: set laps users and groups permission
34	36		hosts: dc01, dc02, dc03
35	37		roles:
36		-	- { role: 'laps', create_gpo: True }
37		-
38		-	- name: configure laps
39		-	hosts: dc02
40		-	roles:
41		-	- { role: 'laps', gpo_linked: dc02 }
42		-
43		-	- name: configure laps
44		-	hosts: dc03
45		-	roles:
46		-	- { role: 'laps', gpo_linked: dc03 }
47		-
48		-	- name: configure laps
49		-	hosts: srv02, srv03
50		-	roles:
51		-	- { role: 'laps', install_servers: True }
52		-
53		-	- name: configure laps
54		-	hosts: dc02
55		-	roles:
56		-	- { role: 'laps', test_deployment: dc02 }
57		-
58		-	- name: configure laps
59		-	hosts: dc03
60		-	roles:
61		-	- { role: 'laps', test_deployment: dc03 }
	38	+	- { role: 'laps/permissions', tags: 'laps-permissions', when: }
	39	+	vars:
	40	+	domain: "{{lab.hosts[dict_key].domain}}"
	41	+	laps_path: "{{lab.domains[domain].laps_path}}"
	42	+	laps_readers: "{{lab.domains[domain].laps_readers if lab.domains[domain].laps_readers is defined else [] }}"
62	43

ansible/roles/laps/defaults/main.yml ansible/roles/laps/dc/defaults/main.yml

Content is identical

ansible/roles/laps/files/comment.cmtx ansible/roles/laps/dc/files/comment.cmtx

Content is identical

ansible/roles/laps/library/win_ad_dacl.ps1 ansible/roles/laps/dc/library/win_ad_dacl.ps1

Content is identical

ansible/roles/laps/library/win_ad_object.ps1 ansible/roles/laps/dc/library/win_ad_object.ps1

Content is identical

ansible/roles/laps/library/win_gpo.ps1 ansible/roles/laps/dc/library/win_gpo.ps1

Content is identical

ansible/roles/laps/library/win_gpo_link.ps1 ansible/roles/laps/dc/library/win_gpo_link.ps1

Content is identical

ansible/roles/laps/library/win_gpo_reg.ps1 ansible/roles/laps/dc/library/win_gpo_reg.ps1

Content is identical

■ ■ ■ ■ ■ ■

ansible/roles/laps/dc/tasks/install.yml

1	+	---
2	+	- name: "Create Laps OU if not exist"
3	+	win_dsc:
4	+	resource_name: ADOrganizationalUnit
5	+	name: "{{ laps_path.split(',')[0].split('=')[1] }}"
6	+	path: "{{ ','.join(laps_path.split(',')[1:]) }}"
7	+
8	+	- name: Install LAPS Package on Servers
9	+	ansible.windows.win_package:
10	+	arguments: "ADDLOCAL=Management.PS,Management.ADMX ALLUSERS=1 /qn"
11	+	path: https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi
12	+	state: present
13	+	creates_path: "%ProgramFiles%\\LAPS"
14	+	register: pri_laps_install
15	+	until: pri_laps_install is success
16	+	retries: 3 # Try 3 times just in case it failed to download the URL
17	+	delay: 1
18	+
19	+	- name: Reboot After Installing LAPS on Servers
20	+	ansible.windows.win_reboot:
21	+	when: pri_laps_install.reboot_required
22	+
23	+	- name: Configure Password Properties
24	+	win_ad_object:
25	+	name: ms-Mcs-AdmPwd
26	+	attributes:
27	+	adminDescription: LAPS Password Attribute
28	+	lDAPDisplayName: ms-Mcs-AdmPwd
29	+	adminDisplayName: ms-Mcs-AdmPwd
30	+	attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1
31	+	attributeSyntax: '2.5.5.5' # String(IAS)
32	+	omSyntax: 19 # String(Printable)
33	+	isSingleValued: True
34	+	systemOnly: False
35	+	isMemberOfPartialAttributeSet: False
36	+	searchFlags: 904 # RO,NV,CF,PR - http://www.frickelsoft.net/blog/?p=151
37	+	showInAdvancedViewOnly: False
38	+	context: schema
39	+	type: attribute
40	+	update_schema: True
41	+	# privileges required to update the schema attributes
42	+	become: yes
43	+	become_method: runas
44	+	become_user: SYSTEM
45	+
46	+	- name: Configure Password Expiry Time
47	+	win_ad_object:
48	+	name: ms-Mcs-AdmPwdExpirationTime
49	+	attributes:
50	+	adminDescription: LAPS Password Expiration Time Attribute
51	+	lDAPDisplayName: ms-Mcs-AdmPwdExpirationTime
52	+	adminDisplayName: ms-Mcs-AdmPwdExpirationTime
53	+	attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2
54	+	attributeSyntax: '2.5.5.16' # LargeInteger
55	+	omSyntax: 65 # LargeInteger
56	+	isSingleValued: True
57	+	systemOnly: False
58	+	isMemberOfPartialAttributeSet: False
59	+	searchFlags: 0
60	+	showInAdvancedViewOnly: False
61	+	context: schema
62	+	type: attribute
63	+	update_schema: True
64	+	become: yes
65	+	become_method: runas
66	+	become_user: SYSTEM
67	+
68	+	- name: Add LAPS attributes to the Computer Attribute
69	+	win_ad_object:
70	+	name: Computer
71	+	may_contain:
72	+	- ms-Mcs-AdmPwd
73	+	- ms-Mcs-AdmPwdExpirationTime
74	+	context: schema
75	+	update_schema: True
76	+	become: yes
77	+	become_method: runas
78	+	become_user: SYSTEM
79	+
80	+	- name: "Apply DACL to OU Containers"
81	+	win_ad_dacl:
82	+	path: "{{laps_path}}"
83	+	state: present
84	+	aces:
85	+	- rights:
86	+	- ReadProperty
87	+	- WriteProperty
88	+	inheritance_type: Descendents
89	+	inherited_object_type: Computer
90	+	object_type: ms-Mcs-AdmPwdExpirationTime
91	+	access: allow
92	+	account: S-1-5-10 # NT AUTHORITY\SELF
93	+	- rights: WriteProperty
94	+	inheritance_type: Descendents
95	+	inherited_object_type: Computer
96	+	object_type: ms-Mcs-AdmPwd
97	+	access: allow
98	+	account: S-1-5-10
99	+
100	+	- name: Create LAPS GPO
101	+	win_gpo:
102	+	name: '{{ opt_laps_gpo_name }}'
103	+	description: Setup by Ansible for LAPS
104	+	state: present
105	+	register: pri_laps_gpo
106	+
107	+	- name: Add LAPS extension to GPO
108	+	win_ad_object:
109	+	name: '{{ pri_laps_gpo.path }}'
110	+	attributes:
111	+	# [Registry:Admin Tool][AdmPwd:Admin Tool]
112	+	gPCMachineExtensionNames: "[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]\
113	+	[{D76B9641-3288-4F75-942D-087DE603E3EA}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]"
114	+
115	+	- name: Configure Password Policy Settings on GPO
116	+	win_gpo_reg:
117	+	gpo: '{{ opt_laps_gpo_name }}'
118	+	name: '{{ item.name }}'
119	+	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
120	+	state: present
121	+	type: dword
122	+	value: '{{ item.value }}'
123	+	with_items:
124	+	- name: PasswordComplexity
125	+	value: 4
126	+	- name: PasswordLength
127	+	value: 14
128	+	- name: PasswordAgeDays
129	+	value: 30
130	+
131	+	- name: Configure Expiration Protection on GPO
132	+	win_gpo_reg:
133	+	gpo: '{{ opt_laps_gpo_name }}'
134	+	name: PwdExpirationProtectionEnabled
135	+	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
136	+	state: present
137	+	type: dword
138	+	value: 1
139	+
140	+	- name: Remove Configuration for Expiration Protection on GPO
141	+	win_gpo_reg:
142	+	gpo: '{{ opt_laps_gpo_name }}'
143	+	name: PwdExpirationProtectionEnabled
144	+	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
145	+	state: absent
146	+
147	+	- name: Configure Custom Admin Username Policy on GPO
148	+	win_gpo_reg:
149	+	gpo: '{{ opt_laps_gpo_name }}'
150	+	name: AdminAccountName
151	+	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
152	+	state: present
153	+	type: string
154	+
155	+	- name: Enable the GPO
156	+	win_gpo_reg:
157	+	gpo: '{{ opt_laps_gpo_name }}'
158	+	name: AdmPwdEnabled
159	+	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
160	+	state: present
161	+	type: dword
162	+	value: 1
163	+
164	+	- name: Create Comment File for GPO
165	+	ansible.windows.win_copy:
166	+	src: ../files/comment.cmtx
167	+	dest: C:\Windows\SYSVOL\domain\Policies\{{ '{' }}{{ pri_laps_gpo.id }}{{ '}' }}\Machine\comment.cmtx
168	+
169	+	- name: Ensure GPO is Linked
170	+	win_gpo_link:
171	+	name: '{{ opt_laps_gpo_name }}'
172	+	target: '{{laps_path}}'
173	+	state: present
174	+	enforced: True
175	+	enabled: True

■ ■ ■ ■ ■ ■

ansible/roles/laps/dc/tasks/main.yml

1	+	- name: laps dc install
2	+	import_tasks: install.yml
3	+	when: laps_path is defined
4	+
5	+	- name: move to laps ou
6	+	import_tasks: move_server_to_ou.yml
7	+	when: laps_path is defined
8	+

■ ■ ■ ■ ■ ■

ansible/roles/laps/dc/tasks/move_server_to_ou.yml

1	+	- name: Move server to Laps OU
2	+	win_shell: \|
3	+	try {
4	+	Get-ADOrganizationalUnit -Identity "{{laps_path}}" > $null
5	+	$server=Get-AdComputer -Identity "{{hostname}}"
6	+	Move-ADObject -Identity $server.DistinguishedName -TargetPath "{{laps_path}}"
7	+	$true
8	+	} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
9	+	$false
10	+	}
11	+	vars:
12	+	hostname: "{{item.value.hostname}}"
13	+	when: item.value.use_laps is defined and item.value.use_laps == true and item.value.domain == domain
14	+	with_dict: "{{hosts_dict}}"

ansible/roles/laps/vars/main.yml ansible/roles/laps/dc/vars/main.yml

Content is identical

■ ■ ■ ■ ■ ■

ansible/roles/laps/permissions/tasks/main.yml

1	+	- name: Add user or group permission to read Laps
2	+	win_shell: \|
3	+	Set-AdmPwdReadPasswordPermission -OrgUnit "{{laps_path}}" -AllowedPrincipals "{{item}}"
4	+	with_items: "{{laps_readers}}"
5	+	when: laps_readers is defined

■ ■ ■ ■ ■ ■

ansible/roles/laps/server/tasks/install.yml

1	+	---
2	+	- name: Install to Servers
3	+	ansible.windows.win_package:
4	+	arguments: "ADDLOCAL=CSE"
5	+	path: https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi
6	+	state: present
7	+	creates_path: "%ProgramFiles%\\LAPS"
8	+	register: pri_laps_install
9	+	until: pri_laps_install is success
10	+	retries: 3 # Try 3 times just in case it failed to download the URL
11	+	delay: 1
12	+
13	+	- name: reboot after installing LAPS if required
14	+	ansible.windows.win_reboot:
15	+	when: pri_laps_install.reboot_required
16	+
17	+	- name: Refresh GPO on the Clients
18	+	ansible.windows.win_command: gpupdate /force
19	+

■ ■ ■ ■ ■ ■

ansible/roles/laps/server/tasks/main.yml

1	+	- name: laps server install
2	+	import_tasks: install.yml
3	+	when: laps_path is defined and use_laps == true

■ ■ ■ ■ ■ ■

ansible/roles/laps/tasks/main.yml

1	-	---
2	-	- name: Move SRV02 to Workstations OU
3	-	win_shell: \|
4	-	try {
5	-	Get-ADOrganizationalUnit -Identity "OU=Workstations,DC=north,DC=sevenkingdoms,DC=local" > $null
6	-	Move-ADObject -Identity "CN=CASTELBLACK,CN=Computers,DC=north,DC=sevenkingdoms,DC=local" -TargetPath "OU=Workstations,DC=north,DC=sevenkingdoms,DC=local"
7	-	$true
8	-	} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
9	-	$false
10	-	}
11	-	when: move_computer == 'dc02'
12	-
13	-	- name: Move SRV03 to Workstations OU
14	-	win_shell: \|
15	-	try {
16	-	Get-ADOrganizationalUnit -Identity "OU=Workstations,DC=essos,DC=local" > $null
17	-	Move-ADObject -Identity "CN=BRAAVOS,CN=Computers,DC=essos,DC=local" -TargetPath "OU=Workstations,DC=essos,DC=local"
18	-	$true
19	-	} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
20	-	$false
21	-	}
22	-	when: move_computer == 'dc03'
23	-
24	-	- name: Install LAPS Package on Servers
25	-	ansible.windows.win_package:
26	-	arguments: "ADDLOCAL=Management.ADMX"
27	-	path: https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi
28	-	state: present
29	-	creates_path: "%ProgramFiles%\\LAPS"
30	-	register: pri_laps_install
31	-	until: pri_laps_install is success
32	-	retries: 3 # Try 3 times just in case it failed to download the URL
33	-	delay: 1
34	-	when: prep_servers \| bool
35	-
36	-	- name: Reboot After Installing LAPS on Servers
37	-	ansible.windows.win_reboot:
38	-	when: prep_servers \| bool and pri_laps_install.reboot_required
39	-
40	-	- name: Configure Password Properties
41	-	win_ad_object:
42	-	name: ms-Mcs-AdmPwd
43	-	attributes:
44	-	adminDescription: LAPS Password Attribute
45	-	lDAPDisplayName: ms-Mcs-AdmPwd
46	-	adminDisplayName: ms-Mcs-AdmPwd
47	-	attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1
48	-	attributeSyntax: '2.5.5.5' # String(IAS)
49	-	omSyntax: 19 # String(Printable)
50	-	isSingleValued: True
51	-	systemOnly: False
52	-	isMemberOfPartialAttributeSet: False
53	-	searchFlags: 904 # RO,NV,CF,PR - http://www.frickelsoft.net/blog/?p=151
54	-	showInAdvancedViewOnly: False
55	-	context: schema
56	-	type: attribute
57	-	update_schema: True
58	-	# privileges required to update the schema attributes
59	-	become: yes
60	-	become_method: runas
61	-	become_user: SYSTEM
62	-	when: prep_servers \| bool
63	-
64	-	- name: Configure Password Expiry Time
65	-	win_ad_object:
66	-	name: ms-Mcs-AdmPwdExpirationTime
67	-	attributes:
68	-	adminDescription: LAPS Password Expiration Time Attribute
69	-	lDAPDisplayName: ms-Mcs-AdmPwdExpirationTime
70	-	adminDisplayName: ms-Mcs-AdmPwdExpirationTime
71	-	attributeId: 1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2
72	-	attributeSyntax: '2.5.5.16' # LargeInteger
73	-	omSyntax: 65 # LargeInteger
74	-	isSingleValued: True
75	-	systemOnly: False
76	-	isMemberOfPartialAttributeSet: False
77	-	searchFlags: 0
78	-	showInAdvancedViewOnly: False
79	-	context: schema
80	-	type: attribute
81	-	update_schema: True
82	-	become: yes
83	-	become_method: runas
84	-	become_user: SYSTEM
85	-	when: prep_servers \| bool
86	-
87	-	- name: Add LAPS attributes to the Computer Attribute
88	-	win_ad_object:
89	-	name: Computer
90	-	may_contain:
91	-	- ms-Mcs-AdmPwd
92	-	- ms-Mcs-AdmPwdExpirationTime
93	-	context: schema
94	-	update_schema: True
95	-	become: yes
96	-	become_method: runas
97	-	become_user: SYSTEM
98	-	when: prep_servers \| bool
99	-
100	-	- name: Apply DACL to OU Containers (north.sevenkingdoms.local)
101	-	win_ad_dacl:
102	-	path: 'OU=Workstations,DC=north,DC=sevenkingdoms,DC=local'
103	-	state: present
104	-	aces:
105	-	- rights:
106	-	- ReadProperty
107	-	- WriteProperty
108	-	inheritance_type: Descendents
109	-	inherited_object_type: Computer
110	-	object_type: ms-Mcs-AdmPwdExpirationTime
111	-	access: allow
112	-	account: S-1-5-10 # NT AUTHORITY\SELF
113	-	- rights: WriteProperty
114	-	inheritance_type: Descendents
115	-	inherited_object_type: Computer
116	-	object_type: ms-Mcs-AdmPwd
117	-	access: allow
118	-	account: S-1-5-10
119	-	when: apply_dacl == 'dc02'
120	-
121	-	- name: Apply DACL to OU Containers (essos.local)
122	-	win_ad_dacl:
123	-	path: 'OU=Workstations,DC=essos,DC=local'
124	-	state: present
125	-	aces:
126	-	- rights:
127	-	- ReadProperty
128	-	- WriteProperty
129	-	inheritance_type: Descendents
130	-	inherited_object_type: Computer
131	-	object_type: ms-Mcs-AdmPwdExpirationTime
132	-	access: allow
133	-	account: S-1-5-10 # NT AUTHORITY\SELF
134	-	- rights: WriteProperty
135	-	inheritance_type: Descendents
136	-	inherited_object_type: Computer
137	-	object_type: ms-Mcs-AdmPwd
138	-	access: allow
139	-	account: S-1-5-10
140	-	when: apply_dacl == 'dc03'
141	-
142	-	- name: Create LAPS GPO
143	-	win_gpo:
144	-	name: '{{ opt_laps_gpo_name }}'
145	-	description: Setup by Ansible for LAPS
146	-	state: present
147	-	register: pri_laps_gpo
148	-	when: create_gpo \| bool
149	-
150	-	- name: Add LAPS extension to GPO
151	-	win_ad_object:
152	-	name: '{{ pri_laps_gpo.path }}'
153	-	attributes:
154	-	# [Registry:Admin Tool][AdmPwd:Admin Tool]
155	-	gPCMachineExtensionNames: "[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]\
156	-	[{D76B9641-3288-4F75-942D-087DE603E3EA}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]"
157	-	when: create_gpo \| bool
158	-
159	-	- name: Configure Password Policy Settings on GPO
160	-	win_gpo_reg:
161	-	gpo: '{{ opt_laps_gpo_name }}'
162	-	name: '{{ item.name }}'
163	-	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
164	-	state: present
165	-	type: dword
166	-	value: '{{ item.value }}'
167	-	with_items:
168	-	- name: PasswordComplexity
169	-	value: 4
170	-	- name: PasswordLength
171	-	value: 14
172	-	- name: PasswordAgeDays
173	-	value: 30
174	-	when: create_gpo \| bool
175	-
176	-	- name: Configure Expiration Protection on GPO
177	-	win_gpo_reg:
178	-	gpo: '{{ opt_laps_gpo_name }}'
179	-	name: PwdExpirationProtectionEnabled
180	-	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
181	-	state: present
182	-	type: dword
183	-	value: 1
184	-	when: create_gpo \| bool
185	-
186	-	- name: Remove Configuration for Expiration Protection on GPO
187	-	win_gpo_reg:
188	-	gpo: '{{ opt_laps_gpo_name }}'
189	-	name: PwdExpirationProtectionEnabled
190	-	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
191	-	state: absent
192	-	when: create_gpo \| bool
193	-
194	-	- name: Configure Custom Admin Username Policy on GPO
195	-	win_gpo_reg:
196	-	gpo: '{{ opt_laps_gpo_name }}'
197	-	name: AdminAccountName
198	-	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
199	-	state: present
200	-	type: string
201	-	when: create_gpo \| bool
202	-
203	-	- name: Enable the GPO
204	-	win_gpo_reg:
205	-	gpo: '{{ opt_laps_gpo_name }}'
206	-	name: AdmPwdEnabled
207	-	path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd'
208	-	state: present
209	-	type: dword
210	-	value: 1
211	-	when: create_gpo \| bool
212	-
213	-	- name: Create Comment File for GPO
214	-	ansible.windows.win_copy:
215	-	src: ../files/comment.cmtx
216	-	dest: C:\Windows\SYSVOL\domain\Policies\{{ '{' }}{{ pri_laps_gpo.id }}{{ '}' }}\Machine\comment.cmtx
217	-	when: create_gpo \| bool
218	-
219	-	- name: Ensure GPO is Linked
220	-	win_gpo_link:
221	-	name: '{{ opt_laps_gpo_name }}'
222	-	target: 'OU=Workstations,DC=north,DC=sevenkingdoms,DC=local'
223	-	state: present
224	-	enforced: True
225	-	enabled: True
226	-	when: gpo_linked == 'dc02'
227	-
228	-	- name: Ensure GPO is Linked
229	-	win_gpo_link:
230	-	name: '{{ opt_laps_gpo_name }}'
231	-	target: 'OU=Workstations,DC=essos,DC=local'
232	-	state: present
233	-	enforced: True
234	-	enabled: True
235	-	when: gpo_linked == 'dc03'
236	-
237	-	- name: Install to Servers
238	-	ansible.windows.win_package:
239	-	arguments: "ADDLOCAL=CSE"
240	-	path: https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi
241	-	state: present
242	-	creates_path: "%ProgramFiles%\\LAPS"
243	-	register: pri_laps_install
244	-	until: pri_laps_install is success
245	-	retries: 3 # Try 3 times just in case it failed to download the URL
246	-	delay: 1
247	-	when: install_servers \| bool
248	-
249	-	- name: reboot after installing LAPS if required
250	-	ansible.windows.win_reboot:
251	-	when: install_servers \| bool and pri_laps_install.reboot_required
252	-
253	-	- name: Refresh GPO on the Clients
254	-	ansible.windows.win_command: gpupdate /force
255	-	when: install_servers \| bool
256	-
257	-	- name: Retrieve LAPS Password on DC02
258	-	win_shell: \|
259	-	$obj = Get-ADObject -Identity "CN=CASTELBLACK,OU=Workstations,DC=north,DC=sevenkingdoms,DC=local" -Properties ms-Mcs-AdmPwd
260	-	Write-Output -InputObject $obj."ms-Mcs-AdmPwd"
261	-	register: powershell_password
262	-	changed_when: False
263	-	when: test_deployment == 'dc02'
264	-
265	-	- name: Retrieve LAPS Password on DC03
266	-	win_shell: \|
267	-	$obj = Get-ADObject -Identity "CN=BRAAVOS,OU=Workstations,DC=essos,DC=local" -Properties ms-Mcs-AdmPwd
268	-	Write-Output -InputObject $obj."ms-Mcs-AdmPwd"
269	-	register: powershell_password
270	-	changed_when: False
271	-	when: test_deployment == 'dc03'

■ ■ ■ ■ ■ ■

ansible/roles/laps/verify/tasks/main.yml

1	+	- name: Retrieve LAPS Password on server
2	+	win_shell: \|
3	+	$server=Get-AdComputer -Identity "{{hostname}}"
4	+	$obj = Get-ADObject -Identity $server.DistinguishedName -Properties ms-Mcs-AdmPwd
5	+	Write-Output "{{hostname}}" $obj."ms-Mcs-AdmPwd"
6	+	register: powershell_password
7	+	vars:
8	+	hostname: "{{item.value.hostname}}"
9	+	when: item.value.use_laps is defined and item.value.use_laps == true and item.value.domain == domain
10	+	with_dict: "{{hosts_dict}}"
11	+
12	+	- name: Show new laps password
13	+	debug: msg="{{item.stdout_lines}}"
14	+	when: item.stdout_lines is defined
15	+	with_items: "{{powershell_password.results}}"
16	+

Modify laps PR to use the config.json file