LAPS\n is an incredibly useful free tool provided by Microsoft to \nautomatically manage the Local Administrator account password for your \ndomain joined Windows computers, and is a security tool that any \norganisation with an Active Directory domain should have.<\/p>\n\n\n\n
However, the client user interface it provides leave a lot to be desired as it only works on Windows computers and is very simple in design. So today we\u2019re going to take that one step further by installing and configuring OVERLAPS<\/a>.<\/p>\n\n\n\n OVERLAPS <\/a>is a third party add-on for LAPS which provides a web interface, so you can now access LAPS managed passwords from any device, including mobile phones, while on the move.<\/p>\n\n\n\n This guide will take you through the setup and configuration of OVERLAPS. However, it only contains a subset of the information available in the full Setup Guide which we recommend downloading (PDF available here)<\/a> for the full and very latest information.<\/p>\n\n\n\n We\u2019re going to be installing OVERLAPS on a Windows Server 2016 box with nothing else on it, but it can be installed on any Windows device after Server 2012 R2 or Windows 10.<\/p>\n\n\n\n OVERLAPS a really light-weight application, so we\u2019ve just setup a single core, 512Mb RAM virtual machine in Hyper-V for this demonstration, and it really doesn\u2019t need more than that.<\/p>\n\n\n\n In\n the real world, we\u2019d probably recommend installing it on an existing \nhost so you\u2019re not paying for another Window licence. The only gotcha to\n watch out for is if another internet service is already using ports 80 \nor 443, but we\u2019ll cover that later.<\/p>\n\n\n\n When it comes to actually using OVERLAPS, the web interface requires any modern web browser with JavaScript enabled.<\/p>\n\n\n\n Double click the OVERLAPS installer to start the installation process.<\/p>\n\n\n\n The End User Licence Agreement will display. There aren\u2019t any surprises in there though, so once you\u2019re happy check the \u201cI accept\u2026\u201d box and click Next.<\/p>\n\n\n\n You may notice a command window popping up briefly. This is the database upgrade handler which is responsible for creating the database file if needed and, when installing version 2.0 for the first time, importing all of your configuration data into it.<\/p>\n\n\n\n Once the installation process has completed, you\u2019ll be shown a success message.<\/p>\n\n\n\n If everything went to plan, you should now see the OVERLAPS service installed and running. You can check this by running the Services system tool (Start -> Run -> services.msc).<\/p>\n\n\n\n If you notice the service isn\u2019t running, check the log file in the below folder for problems. The most common cause for failure is because another process is already serving HTTP content on port 80.<\/p>\n\n\n\n If this happens, or if you want to change the port for another reason, you can do so by editing the OVERLAPS configuration file (config.xml).<\/p>\n\n\n\n By default, the OVERLAPS is configured to use port 80 for unencrypted (HTTP) traffic and port 443 for encrypted (HTTPS) traffic. Note that HTTPS is not enabled by default as you first need to install a certificate either from a Certificate Authority, generated from your own root certificate, or using a Self-Signed certificate (https:\/\/int64software.com\/blog\/2020\/04\/20\/creating-a-self-signed-ssl-certificate-for-your-intranet-services\/<\/a>).<\/p>\n\n\n\n The ports can be changed to any valid port number (1\u201365535), but remember to check a list of known ports (such as this handy one on Wikipedia<\/a>, or this list of default ports used by Windows<\/a>) to make sure you don\u2019t conflict with anything.<\/p>\n\n\n\n Any changes to the configuration file require the OVERLAPS service to be restarted. You can do this by right clicking the service and selecting Restart (or just Start if the service is already stopped).<\/p>\n\n\n\n If you have purchased an OVERLAPS licence then you will be able to generate and download a licence file from your Downloads section on our website. This file will need to be placed in the OVERLAPS data folder (see below) before it will work.<\/p>\n\n\n\n Once the file is in place, restart the OVERLAPS service. If it worked correctly, you will get the login page when going to the server\u2019s IP address\/hostname from a web browser. If you receive a licence error, try downloading the file again.<\/p>\n\n\n\n As of version 2.0, OVERLAPS replaced the legacy lapsuser configuration tool with the more comprehensive olconfig command line utility.<\/p>\n\n\n\n This tool still allows you to manage users, but also adds functionality for configuring Kerberos and installing SSL\/TLS certificates.<\/p>\n\n\n\n Command line help can be viewed for each function using the following commands:<\/p>\n\n\n\n By default, the OVERLAPS web server will use the NT LAN Manager (NTLM) to handle Integrated Authentication requests (as opposed to the form login method). While this is fine for most cases, NTLM has been shown to be vulnerable to certain Man-In-The-Middle attacks, so it is recommended that you configure it to use Kerberos instead.<\/p>\n\n\n\n To configure Kerberos, you must define a Service Principal Name (SPN) for the server. You can do this in one of two ways: automatically using the \u201colconfig.exe\u201d command line tool included with OVERLAPS, or manually using the \u201csetspn.exe\u201d tool provided by Windows.<\/p>\n\n\n\n Enabling Kerberos support using the olconfig.exe tool can be achieved very simply with one of the following commands depending on whether you are using HTTP, HTTPS or both HTTP and HTTPS (recommended).<\/p>\n\n\n\n To check the current Kerberos status, you can use the command line:<\/p>\n\n\n\n Alternatively, to register an SPN manually, use the command line:<\/p>\n\n\n\n Where \u201c<servername><\/em>\u201d is the name of the server OVERLAPS is installed on how a user would connect to it, and \u201c<machineaccount>$<\/em>\u201d is the system account name of that device.<\/p>\n\n\n\n So, for example, if our server was called \u201coverlaps\u201d (accessed as \u201chttp:\/\/overlaps\u201d<\/em>), and we wanted to configure both HTTP and HTTPS to support Kerberos, we\u2019d use the command lines:<\/p>\n\n\n\n If, however, the server is accessed as \u201chttp:\/\/overlaps.contoso.com<\/em>\u201d, then we\u2019d use:<\/p>\n\n\n\n For more information on configuring Service Principal Names, please refer to Microsoft\u2019s documentation on the subject.<\/p>\n\n\n\n To further increase security to OVERLAPS, we recommend that you install an SSL certificate so that your client <-> server<\/em> traffic is encrypted.<\/p>\n\n\n\n You\u2019ll need to purchase or generate a certificate for this purpose (see here for a guide on creating a Self-Signed certificate<\/a>).<\/p>\n\n\n\n With your .pfx private key certificate in an accessible location, use the following command to bind it to OVERLAPS:<\/p>\n\n\n\n 1. Run mmc.exe<\/p>\n\n\n\n 2. Go to File -> Add\/Remove Snap-in<\/p>\n\n\n\n 3. Select \u201cCertificates\u201d and click Add<\/p>\n\n\n\n 4. Select \u201cComputer account\u201d when prompted<\/p>\n\n\n\n 5. Select \u201cLocal computer: (the computer this console is running on)\u201d<\/p>\n\n\n\n 6. Click Finish<\/p>\n\n\n\n 7. Click OK to close the snap-in dialog<\/p>\n\n\n\n 8. Navigate to Certificates -> Personal<\/p>\n\n\n\n 9. Right click and select All Tasks -> Import<\/p>\n\n\n\n 10. When prompted for a file to import, click Browse<\/p>\n\n\n\n 11. Next to filename, where it says \u201cX.509 Certificate (*.cer, *.crt)<\/em>\u201d, change this to \u201cPersonal Information Exchange (*.pfx, *.p12)<\/em>\u201d<\/p>\n\n\n\n 12. Select your certificate\u2019s private key file<\/p>\n\n\n\n 13. When prompted, enter the certificate\u2019s password and check the box to \u201cMark this key as exportable\u201d<\/p>\n\n\n\n 14. Follow the rest of the dialog to complete the import.<\/p>\n\n\n\n 15. Once imported, right click the certificate and click \u201cOpen\u201d<\/p>\n\n\n\n 16. Navigate to the Details tab, and scroll down to \u201cThumbprint\u201d, copy this value for use in the next step.<\/p>\n\n\n\n Linking (binding) your Certificate to OVERLAPS<\/strong><\/p>\n\n\n\n To link your certificate to OVERLAPS you need to use the \u201cnetsh\u201d command from the command prompt.<\/p>\n\n\n\n The command to add the certificate is:<\/p>\n\n\n\n Where \u201c<servername><\/em>\u201d is the fully qualified name of your OVERLAPS server as a client would access it (e.g. overlaps.contoso.com<\/em>), and \u201c<thumbprint of your certificate><\/em>\u201d is the value you copied at step 16 of the last section.<\/p>\n\n\n\n Be careful to make sure you copy the \u201cappid<\/em>\u201d exactly as this identifies the OVERLAPS executable is what you want to attach the certificate to.<\/p>\n\n\n\n You should receive the message \u201cSSL Certificate successfully added<\/em>\u201d.\n If, however, you receive the message \u201cA specified logon session does \nnot exist\u201d, then the certificate is probably not installed in the \ncorrect store, check again that it is in the Personal folder of the \nCurrent Computer store (I\u2019ve made this mistake more times that I care to\n count!)<\/p>\n\n\n\n Once that is complete, you can now enable HTTP in the OVERLAPS configuration file.<\/p>\n\n\n\n Remembering to restart the OVERLAPS service to register the change.<\/p>\n\n\n\n After\n testing that this has worked, it is recommended that you then disable \nunencrypted HTTP traffic, which can also be done through the \nconfiguration file.<\/p>\n\n\n\n Before you can login for the first time, you must first add yourself as an Administrator user. You can use the \u201colconfig.exe\u201d tool to do this. All subsequent users and groups can be added from within OVERLAPS itself.<\/p>\n\n\n\n To add yourself, use the command line:<\/p>\n\n\n\n If everything works then you should receive a success message.<\/p>\n\n\n\n From version 1.3.4 OVERLAPS now supports multiple domain environments with a properly configured trust relationship. Navigation<\/strong> \u201cRootFirst\u201d (Default)<\/em><\/strong> \u201cMemberFirst\u201d<\/em><\/strong> “SingleDomainOnly”<\/em><\/strong> Authentication<\/strong> Universal Groups are supported for user login, as are per-domain groups. When adding a user or group in a multi-domain environment, you will be prompted for the domain that the user belongs to.<\/p>\n\n\n\n Note that currently, the \u201clapsuser.exe\u201d program only supports local domain users.<\/p>\n\n\n\n In order to view and (in the case of OVERLAPS Pro) modify the Microsoft LAPS managed Local Administrator passwords, OVERLAPS requires the following Active Directory Organizational Unit permissions to the containers in which the managed computers reside:<\/p>\n\n\n\n Configuring just these permissions correctly can lead to unexpected behaviour, so it is recommended to make use of the PowerShell scripts that come with Microsoft LAPS to set them.<\/p>\n\n\n\n As OVERLAPS runs as Local System on the host server, you will need the server\u2019s computer account name to proceed. This should be the name of the server followed by a dollar sign ($), so if the server is called \u201cmyoverlaps\u201d for example, the computer account name would be \u201cmyoverlaps$\u201d.<\/p>\n\n\n\n If everything went to plan, OVERLAPS will now be able to view and, in Professional, trigger a reset of the Local Administrator passwords.<\/p>\n\n\n\n Multi-Domain Permissions<\/strong> As mentioned previously, OVERLAPS stored all of its configuration options in an XML file at:<\/p>\n\n\n\n C:\\ProgramData\\Int64 Software Ltd\\OVERLAPS\\config.xml<\/em><\/p><\/blockquote>\n\n\n\n You must have Administrator rights on the server to modify this file and any changes require the OVERLAPS service to be restarted.<\/p>\n\n\n\n Most of the settings in the configuration file can be modified easily from within the \u201cConfig\u201d page of OVERLAPS. However, some settings are considered \u201cinternal\u201d and cannot be changed from within OVERLAPS, or there may occasions when being able to modify values manually could be advantageous. For this reason, some of the key values are shown below.<\/p>\n\n\n\n HTTPEnabled\/HTTPSEnabled<\/strong><\/p>\n\n\n\n If \u201ctrue\u201d, enables the respective type of traffic (unencrypted HTTP or encrypted HTTPS).<\/p>\n\n\n\n HTTPPort\/HTTPSPort<\/strong><\/p>\n\n\n\n The port that will be opened for HTTP or HTTPS traffic respectively (default 80 and 443).<\/p>\n\n\n\n ThreadLimit<\/strong><\/p>\n\n\n\n The maximum number of concurrent requests that the web host can handle. If you have a large user base and start noticing the website becoming sluggish, then you may wish to increase this value.<\/p>\n\n\n\n MaxInputStreamSizeBytes and MaxInputVarsPerRequest<\/strong><\/p>\n\n\n\n These values control the limitations on data posted to the server during a web request. They are designed to limit the thread of a denial of service attack or flooding the server. The only time these values may need to be modified is if you operate a particularly large number of Organizational Units in your domain.<\/p>\n\n\n\n DateFormat<\/strong><\/p>\n\n\n\n While a small selection of standard formats are provided for selection from the Config page, this allows you to specify a custom date format using standard date format characters (see https:\/\/docs.microsoft.com\/en-us\/dotnet\/standard\/base-types\/standard-date-and-time-format-strings<\/a>). Do not use this to specify time format values.<\/p>\n\n\n\n LDAPPort<\/strong><\/p>\n\n\n\n Change this if you need OVERLAPS to connect to Active Directory using a different LDAP port.<\/p>\n\n\n\n EnforceWIA<\/strong><\/p>\n\n\n\n If set to \u201ctrue\u201d, the user login page will be disabled and OVERLAPS will only accept Windows Integrated Authentication logins.<\/p>\n\n\n\n UpdateCheckFrequencyDays<\/strong><\/p>\n\n\n\n How frequently (in days) OVERLAPS should check for program updates. Updates are not installed automatically, but this is just used to put a flag in the page footer to notify you that an update is available. Set this to \u201c0\u201d to disable update checks.<\/p>\n\n\n\n The main menu provides access to all of OVERLAPS pages. The items available depend on the permissions of the currently logged in user.<\/p>\n\n\n\n The Active Directory Browser window allows you to quickly navigate your Active Directory structure for a particular Organizational Unit. Click a container to select it, then click again to open to that page.<\/p>\n\n\n\n Some users may experience duplicate containers showing in their browser like the example below.<\/p>\n\n\n\n This occurs when a user is granted permissions to containers through more than one combination of groups or direct (explicit) membership. In this example, the user is explicitly defined in the OVERLAPS user list and is granted full access to the \u201cmdomain\u201d domain. However, they are also a member of a Security Group which was added to OVERLAPS and given permission to the \u201cClients\u201d Organizational Unit. Because of the way that OVERLAPS now dynamically populates this tree, they are therefore seeing both entry points into the domain.<\/p>\n\n\n\n This is not anything to be concerned about, and it should not impact on the user\u2019s experience. However, if you wish to avoid this, try to limit the number groups that users are a member of and keep your permissions simple.<\/p>\n\n\n\n When a valid container with computers is selected, you will see the computers in a list. <\/p>\n\n\n\n From here you can click on a computer to display its LAPS managed Local Administrator password.<\/p>\n\n\n\n From this window you can click the \u201cCopy to Clipboard\u201d\nbutton to have the password copied to your system clipboard. <\/p>\n\n\n\n You can also click \u201cExpire Password\u201d to trigger a password reset on the computer. Note that this will happen when the computer next performs a Group Policy update.<\/p>\n\n\n\n Clicking the phone tab button switches the view to the Phonetic Alphabet view. There are several of these available (selected the Config page), this example shows the full NATO version.<\/p>\n\n\n\n Clicking the \u201cDisplay Passwords for Selected Computers\u201d button will retrieve the current password information for all of the selected computers. When retrieved, passwords are blurred for security reasons and can be displayed by hovering over the password or toggled between blurred and displayed by clicking. <\/p>\n\n\n\n Each computer may show an alert icon on the right side of its entry. This indicates that the state of that computer\u2019s LAPS managed password: <\/p>\n\n\n\n This symbol indicates that the LAPS password has expired and is due to be refreshed by the system. If this remains in this state for a long time, it may indicate that the computer is not processing its LAPS policy correctly.<\/p>\n\n\n\n This alert indicates that the computer does not have any LAPS password data in Active Directory. If your LAPS installation is new, or the computer has only recently been added then this may be normal.<\/p>\n\n\n\n If you have configured an email server then the Notifications system becomes available. When this happens, a new button will appear in each container.<\/p>\n\n\n\n Clicking this brings up the Manage Notifications window where you can set or remove what notifications you want to receive and how often.<\/p>\n\n\n\n You can have notifications sent to you when anyone reads the password of a computer in this Organisational Unit, expires a password, or both.<\/p>\n\n\n\n Setting the Maximum Notification Frequency will prevent you receiving a notification every time one of these actions happens. Instead they will be grouped together and only sent at the specified frequency.<\/p>\n\n\n\n Finally, you can opt to also apply these notification settings to every Organisational Unit under the currently open container by checking the \u201cApply to all child containers\u201d box.<\/p>\n\n\n\n Navigating to the History section allows you to view historical data from users using OVERLAPS. <\/p>\n\n\n\n The \u201cAction\u201d provides a quick reference image for each possible type of event that is recorded, where the \u201cMessage\u201d field provides more detailed information.<\/p>\n\n\n\n You can filter the History log by Date, Text (both the username and message fields are searched), or by the type of action by using the \u201cActions\u201d menu and checking the boxes for the type of events you want to see.<\/p>\n\n\n\n Clicking the Search menu item will present you with a dialog to find computers by their hostname. OVERLAPS will remember the last 10 searches you performed within 30 days and allow you to select from them to perform the search again.<\/p>\n\n\n\n Search results are grouped by Active Directory container, and function just like a normal computer list.<\/p>\n\n\n\n Clicking your search term at the top of the results allows you to refine your search or to include the computer\u2019s description in the search.<\/p>\n\n\n\n The Self Service feature allows you to specify individual computers that a user will have permission to retrieve the Administrator password for.<\/p>\n\n\n\n If a user has Self Service computers assigned to them, they will receive an additional menu item (note: if the user has no other Active Directory permissions, then the Browse button will not be available to them).<\/p>\n\n\n\n Computers can be assigned to users in one of two ways when setting up Self Service for that user\/group:<\/p>\n\n\n\n The latter option will allow the user (or member users if it is a group) to access the passwords for computers which they are identified as the owner of through the Active Directory \u201cManaged By\u201d option.<\/p>\n\n\n\n When they log in, or click Self-Service menu button, the user will be shown their list of Self Service computers and a button for displaying the current Local Administrator password.<\/p>\n\n\n\n All the user needs to do is click the \u201cView Password\u201d button to display that computer\u2019s password.<\/p>\n\n\n\n Each user now has a few settings that they can change regarding their own experience within OVERLAPS. They get to this by clicking the Profile main menu item.<\/p>\n\n\n\n We have done all of the back-end work required to introduce multiple language support to OVERLAPS now, and we will start to add additional languages as we get the translations done. For now, however, this just acts as a placeholder.<\/p>\n\n\n\n Two Factor Authentication (or Multi-Factor Authentication) allows users to further secure their account by requiring the use of a compatible One-Time Password generating app (such as Google Authenticator) on their smartphone.<\/p>\n\n\n\n With this enabled, logging in from a new device will prompt the user to enter an additional code as well as their username and password. The device can then be \u201cremembered\u201d, so they do not need to enter a code the next time, or they can continue to be prompted. Remembered devices are only validated for 30 days, after which they will need to provide a fresh Two Factor Authentication token.<\/p>\n\n\n\n This adds an additional layer of security so that just knowing someone\u2019s domain username and password is not enough to login to OVERLAPS, and it is recommended for all users.<\/p>\n\n\n\n We recommend, and have tested extensively, using the official Google Authenticator app available on the Android Play Store and the Apple App Store.<\/p>\n\n\n\n Other compatible apps may also work.<\/p>\n\n\n\n Once enabled, the user will immediately be taken to the TFA authentication screen to confirm their code. This is the same screen they will see when a new token is required during login.<\/p>\n\n\n\n Checking this box means that whenever you open the homepage or the Browser window, you will automatically be taken back to the last Organizational Unit that you visited.<\/p>\n\n\n\n Use the Config menu item to take you to the OVERLAPS configuration page. Only users with the \u201cEdit Settings\u201d permission are able to view this page.<\/p>\n\n\n\n Users are managed through the Config page\u2019s Users and Groups section.<\/p>\n\n\n\n Here you will see a list of all of the users and groups that have been added to OVERLAPS and have the ability to edit or remove them.<\/p>\n\n\n\n Add a New User or Group<\/strong><\/p>\n\n\n\n To add a user, click the \u201cNew User\/Group\u201d, a window will appear allowing you to enter the user or group\u2019s account (user) name.<\/p>\n\n\n\n Start typing the username and OVERLAPS will search Active Directory for potential matches for you to select from.<\/p>\n\n\n\n Here you may also select whether the user should be granted Administrator privileges and whether they should be able to view the event history or not.<\/p>\n\n\n\n Edit a User<\/strong><\/p>\n\n\n\n Select one or more users or groups by checking their entry in the user list, the click the Edit User button to see the options available. <\/p>\n\n\n\n When editing multiple users, you will be shown a dropdown with the selected users.<\/p>\n\n\n\n Clicking a user will deselect them, and any changes made when clicking \u201cSave Changes\u201d will not apply to them. Clicking the user again will re-select them.<\/p>\n\n\n\n Rate Limits<\/strong><\/p>\n\n\n\n You can set a configurable limit on users and groups which controls how many: a) Password Requests, and b) Password Resets, those users can perform in a given time period.<\/p>\n\n\n\n This can be useful to prevent over-exposure of your Local Administrator passwords, and to prevent a user from mass-exporting them.<\/p>\n\n\n\n Password Request limits and Password Reset limits can be controlled independently. To set a limit:<\/p>\n\n\n\n For example, for a normal user you may want them to stay under 25 requests per day, so you would set it to – Maximum: 25, Every: 1, Period: Day.<\/p>\n\n\n\n A warning note on group memberships<\/strong> This means if you have a group with a limit of 5 requests every day<\/strong>, and another with a limit of 25 requests every 10 minutes<\/strong>, a member of both groups will end up with the limit 5 requests every 10 minutes<\/strong>.<\/p>\n\n\n\n This is done to be in-line with least privilege best practices. If the need arises to override the rate limit a user is experiencing because of their group memberships, the correct way would be to add the user explicitly to OVERLAPS as explicit users always take priority over group memberships. <\/p>\n\n\n\n User Access Level<\/strong><\/p>\n\n\n\n This window allows you to change the overall access that the user(s) have to the OVERLAPS website.<\/p>\n\n\n\n Administrators (users with the Edit Settings permission) have full access to every Active Directory container, and the ability to modify users and site settings. This should be limited to only a few trusted users.<\/p>\n\n\n\n People with \u201cView History\u201d permission have the ability to view a history of all actions undertaken within OVERLAPS. <\/p>\n\n\n\n When editing multiple users, setting an option to \u201cNo Change\u201d means that no changes to each users\u2019 current access will be made. Setting it to \u201cRemove\u201d disables the selected access for all selected users, and \u201cEnable\u201d will grant the selected access. <\/p>\n\n\n\n Remove a User<\/strong><\/p>\n\n\n\n Selecting one or more users and clicking the \u201cRemove\u201d button will prompt you to confirm that you want to remove the user completely from OVERLAPS.<\/p>\n\n\n\n The user-based permissions have now been replaced with a much simpler Organizational-Unit-based permissions. This is now more like the permissions you would expect to see in Windows or Active Directory itself.<\/p>\n\n\n\n The Permissions section is split vertically into two parts: A navigation tree for finding the container you want to edit, and a list of the Users\/Groups who have permission to the currently selected container.<\/p>\n\n\n\n With a valid container selected, you can add or remove users using the relevant buttons, and change their permissions (see below) accordingly, but the permissions are only saved when you click the Save Changes button.<\/p>\n\n\n\n For a full list of the permissions available, see the Setup Guide (download<\/a>).<\/p>\n\n\n\n![\"Browsing](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2019\/02\/anim-browse-and-view-pwd.gif\")
This Guide<\/h2>\n\n\n\n
System Requirements<\/h2>\n\n\n\n
Installation and Initial Configuration<\/h2>\n\n\n\n
Running the Bundle Installer<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/install_0.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/install_2.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/install_5.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/service.png\")
Configuring the Server Port<\/h3>\n\n\n\n
C:\\ProgramData\\Int64 Software Ltd\\OVERLAPS<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/config-file-port.png\")
Installing your Licence File<\/h3>\n\n\n\n
C:\\ProgramData\\Int64 Software Ltd\\OVERLAPS\\<\/code><\/pre>\n\n\n\nThe OLCONFIG.EXE Tool (Replaces LAPSUSER.EXE)<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/olconfig-start.png\")
olconfig.exe user \/help\nolconfig.exe https \/help\nolconfig.exe security \/help<\/code><\/pre>\n\n\n\nConfiguring Kerberos for Added Login Security<\/h3>\n\n\n\n
Configuring Kerberos using olconfig.exe<\/h4>\n\n\n\n
olconfig.exe security \/enablekrb http\nolconfig.exe security \/enablekrb https\nolconfig.exe security \/enablekrb both<\/code><\/pre>\n\n\n\nolconfig.exe security \/krbstatus<\/code><\/pre>\n\n\n\nConfiguring Kerberos manually<\/h4>\n\n\n\n
Setspn.exe \u2013a HTTP(S)\/<servername> <machineaccount>$<\/code><\/pre>\n\n\n\nSetSPN \u2013a HTTP\/OVERLAPS OVERLAPS$\nSetSPN \u2013a HTTPS\/OVERLAPS OVERLAPS$<\/code><\/pre>\n\n\n\nSetspn.exe \u2013a HTTP\/OVERLAPS.CONTOSO.COM OVERLAPS$<\/code><\/pre>\n\n\n\nEncrypted Web Traffic with HTTPS<\/h3>\n\n\n\n
Configuring HTTPS using olconfig.exe<\/h4>\n\n\n\n
olconfig.exe https \/certfile <filename> [\/password <password>]<\/code><\/pre>\n\n\n\nConfiguring HTTPS manually<\/strong><\/h4>\n\n\n\n
![\"\"\/](\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*oEemOExTAuzvbCeZofLi0g.png\")
![\"\"\/](\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*--z_pVXoMu1C717OIkQ1RA.png\")
![\"\"\/](\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*VR6L1x8UuoQ06N0mC444Ag.png\")
Netsh http add sslcert hostnameport=<servername>:443 certhash=<thumbprint of your certificate> appid={7c492133\u2013379e-4918\u201382c3\u20131d8d2f9bee3a}<\/code><\/pre>\n\n\n\n![\"\"\/](\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*Z6MQuK6Pjp_Jc9N-Q2mDgQ.png\")
Adding the First Administrators<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/olconfig-user.png\")
olconfig.exe user <myusername> \/add \/admin<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/olconfig-user-success.png\")
Active Directory<\/h3>\n\n\n\n
Multiple Domain Forest Support<\/h4>\n\n\n\n
<\/p>\n\n\n\n
By default, when populating Organizational Units, OVERLAPS will look to the root domain of the forest and from there discover any accessible child domains. However this can be modified from the configuration file by changing the \u201cMultipleDomainPreference\u201d value to the following:<\/p>\n\n\n\n
Seeks the root domain in the current Forest and then attempts to include child domains.<\/p>\n\n\n\n
Selects the domain that the OVERLAPS server is a member of first, and then attempts to include any other domains in the current Forest (including the root if it is not the same).<\/p>\n\n\n\n
Limits OVERLAPS to the domain that its server is in only. No attempt will be made to attempt to read any other domains in the Forest.<\/p>\n\n\n\n
In this latter mode, user authentication is also limited to the current domain. Otherwise in a multi-domain environment, users will be prompted for their domain prior to logging in (or have to supply it in the form \u201cdomain\\username\u201d in the case of Windows Integrated Authentication).<\/p>\n\n\n\nPermissions<\/h4>\n\n\n\n
Import-Module AdmPwd.PS<\/em><\/li>
Set-AdmPwdReadPasswordPermission -OrgUnit -AllowedPrincipals<\/em> <\/li>
Set-AdmPwdResetPasswordPermission -OrgUnit -AllowedPrincipals<\/em><\/li>
In multi-domain environments, these permissions may need to be manually applied to each domain.<\/p>\n\n\n\nAdditional Configuration Options<\/h3>\n\n\n\n
The Configuration File<\/h4>\n\n\n\n
Specific Settings<\/h4>\n\n\n\n
User Interface<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/main-menu.png\")
Browser<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/browser-active-dir.png\")
Duplicate Containers in the Browser<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/browser-duplicate-entry-points-marked.png\")
Computer List<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/computer-list.png\")
Viewing a Computer’s Local Administrator Password<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/current-password-modal.png\")
Phonetic Alphabet View<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/phonetic-alphabet-computer-nato-full-cropped.png\")
Batch Password Retrieval<\/h4>\n\n\n\n
![\"Batch](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2019\/03\/overlaps-1.2-ui-batch-1200x686.png\")
Computer Status Alerts<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2019\/03\/overlaps-1.2-expired.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2019\/03\/overlaps-1.2-notset.png\")
<\/figure>\n\n\n\nNotifications<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/manage-notifications-button.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/manage-notifications.png\")
History<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/history.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/history-filter.png\")
Search<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/computer-search.png\")
![\"Refining](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2019\/03\/overlaps-1.2-search-refine.png\")
Self Service<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/self-service-computer-list.png\")
Profile<\/h3>\n\n\n\n
Language<\/h4>\n\n\n\n
Two Factor Authentication (2FA\/TFA\/MFA)<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/tfa-enable_2.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/tfa-login.png\")
Remembering your Last Container<\/h4>\n\n\n\n
Configuration<\/h3>\n\n\n\n
Users and Groups<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/settings-users-user-list.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/settings-users-add-user.png\")
![\"List](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2019\/03\/overlaps-1.2-user-ad-perm-list.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/settings-users-edit-rate-limit-requests.png\")
In order to handle multi-group membership in an efficient and minimally complex way, there is an important point to remember. Where a user is a member of multiple groups, each with its own rate limit, OVERLAPS will select the lowest value all of the rate limit time periods AND the minimum number of requests.<\/p>\n\n\n\n![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/settings-users-edit-site-access.png\")
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/settings-users-remove.png\")
Active Directory Permissions<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2020\/04\/container-permissions-interface.png\")
Settings, Host and Email Settings<\/h4>\n\n\n\n