The Microsoft Local Administrator Password Solution (LAPS) is a free tool for securing the Windows computers in your Active Directory environment.
By performing scheduled resets on the Local Administrator accounts on your domain-joined computers, LAPS helps to mitigate the threat of "Pass-the-Hash" type attacks against your network. It generates new passwords completely randomly, bypassing the need for shared or formulaic passwords, and stores them securely in Active Directory for the use of your Service Desk teams.
LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin password and expiry information. Then a small client DLL is deployed to your managed Windows computers and sits unused until a Group Policy refresh operation occurs. At that point it performs its work:
- LAPS retrieves the current expiry date and time for the Local Administrator password on the current computer from Active Directory.
- If the expiry is not blank and is still in the future, nothing happens.
- Otherwise a new password is required, so LAPS generates one completely randomly according to your specifications (set in Group Policy).
- LAPS now attempts to record the new password in Active Directory, along with when the password will next expire.
- If that was successful, it will only then actually change the password of the Local Administrator account.
Windows accounts are stored hashed (one-way encrypted) and are, in principal, accessible to anyone with access to that computer. A pass-the-hash attack uses this hash in place of the actual password to access resources on other computers on your network with the same account/password.
LAPS mitigates the threat of pass-the-hash attacks by ensuring each computer has a different password (and therefore different hash) for their Local Administrator account.
Microsoft released LAPS completely free. You can download it along with its technical documentation from the link below.
LAPS is packaged with a PowerShell module and a basic Windows client UI for retrieving and manually expiring passwords.
For more information on Microsoft LAPS, please see the links below.
OVERLAPS is a self-hosted Microsoft LAPS alternative UI (user interface), a way of retrieving and expiring LAPS managed passwords through any modern browser on any network attached device. More than this, it removes the hassle of managing and maintaining Active Directory permissions for LAPS attributes by allowing you to specify which users or groups have access per-OU.
- You install it on a computer or server which will act as the web server for OVERLAPS.
- Configure your Active Directory permissions to allow that computer the appropriate access to the LAPS password and expiry attributes.
- Setup SSL/TLS encryption to make sure everything is secure.
- Add users and/or groups, and specify what Organizational Units or containers that they are allows to access.
- Users can now login to OVERLAPS and access the LAPS managed passwords as needed.
There aren't any. We don't specify a time limit, user limit or device limit. Once you've purchased OVERLAPS once it is yours forever, no matter how your service grows. We'll only ever require payment again if there is a major update version released, in which case we'll make a significantly reduced upgrade price available to existing customers.
There are three options available to you to purchase OVERLAPS:
1. Purchase directly from us using a Credit or Debit card
Click here to go to the store page and follow the on-screen instructions.
2. Request an invoice
If you would prefer to receive an invoice and have payment handled by your Finance department, Contact us and we'll raise one for you. Note that we are able to process your purchase and generate license for you faster if you are able to provide a Purchase Order.
3. Use a Software Reseller
Alternatively, if you have a preferred software reseller that you have existing agreements with, simply ask them to contact us and we'll do the rest.
Network Environment Requirements
A non-Cloud (not Azure) Active Directory domain is required, with Microsoft’s Local Administrator Password Solution (LAPS) installed and already configured.
Operating System: Windows 8.1 Pro or higher, Windows Server 2012 R2 or higher.
By default OVERLAPS runs as the system account on the server (NT AUTHORITY\SYSTEM), and permission must be given to this account to read and write the LAPS properties (see Active Directory Permissions for OVERLAPS). Alternatively, if you are planning to use a Service Account to allow OVERLAPS to access Active Directory (see Active Directory), then that account must have the relevant LAPS permissions.
To download the trial version of OVERLAPS click the download button below and get started today.OVERLAPS 18.104.22.168 Trial (10.05Mb)
Requires: .NET Framework version 4.6.1
This trial version of the web user interface replacement for Microsoft LAPS offers customers the chance to go through the setup procedure and experience OVERLAPS for themselves before they buy. The only limitation of this demo version is that instead of displaying the LAPS managed passwords from Active Directory, the message "TRIALVERSION" is displayed in its place.
2022-12-30 - Version 22.214.171.124
- Fixed an issue where Authorisers who are only designated such for Self Service users would not see the Authorisation menu item.
- Changed Authorisation Request behaviour so that denied requests are now automatically expired when the Requestor views the response, allowing them to immediately raise another request if they want to (rather than having to wait for the expiry timeout).
- Made the Authorisation page available for Self-Service users who have the option set to Require Authorisation so that they can view and/or cancel their own outstanding requests.
- Fixed a minor visual bug which would show the reset icon instead of the read icon for Self Service Requests in the Authorisation page.
- Updated Bitlocker Key Retrieval to allow for multiple recovery keys (e.g. for devices with more than one encrypted drive) and it will now show the Recovery and Volume GUIDs and the time it was last changed.
- Fixed an issue where under some circumstances certain browsers would mistakenly submit a 2FA code twice, causing an error to display before continuing to login normally (assuming the code was correct - an incorrect code would still result in a rejected login).
- Fixed a bug in the Asynchronous Group Membership Queue for manual group refresh operations which could cause initialisation problems in the update process itself. This may have also had an additional, but less noticeable, impact on the background group membership updater as well and some admins may have seen the group membership information update in a less-than-timely fashion. However, this would not have had any impact on group checks during login (or therefore site security) as that is an isolated system.
- Updated the manual group refresh status message so that if the "Queue Group Refresh Operations" is disabled then it will automatically refresh the page on completion, otherwise it will advise the user to refresh the page after a few minutes.
- Added an optional High Contrast Scheme (selectable in the Profile page under Settings -> Website Colour Scheme) for users with Protanopia or other visual impairments which may have made the default colour scheme hard to see or distinguish. This theme is still being tweaked but will hopefully be of some help to those affected, please let us know if there are further changes you would like to see with regards to accessibility by contacting us through the usual channels.
- Added the option to have detailed Authorisation Request emails which provide a list of all of your pending requests along with user and computer information, instead of the default summary emails which only show a count. This is a global option for all nominated Authorisors (not per-user) and can be found under Settings -> Security -> Authorisation Requests -> Authorisation Request Email Format.
- Carried out a full database optimisation audit and made various changes to improve performance.
2022-09-16 - Version 126.96.36.199
- Added support for HTTP_X_FORWARDED_FOR header when getting the client IP address if a proxy is being used.
- Modified handling of deleted AD containers so that they are no longer immediately removed from the database. This can prevent loss of permissions and other data in the event that AD cannot be contacted for some reason. Missing containers are now flagged and hidden, and then cleaned up a few days later if they are not successfully re-discovered in the meantime.
- Added the option to prevent users with the permission to allow/deny Authorisation Requests from authorising their own requests (self-authorisation).
- Added error catching for environments where AD Referral Chasing is not supported.
- Added backup option for edge cases where NetBIOS name resolution does not work because of Referral Chasing errors. Currently the option is only available via the Configuration Tool and is listed under the "ActiveDirectory" category as "UseLdapForDomainUnshortening".
- Added the option to have Computer Management tasks use the target computer's Local Administrator account credentials from AD if they exist. This may make it easier to configure WMI on the clients as you wouldn't need to add additional accounts with permission to run the tasks, if the computer doesn't have a password in AD however then this will failover to the previous method. In order to support this, a setting for the name of the Local Administrator account has also been added.
- Added support for container custom display names being saved when taking a permissions snapshot, and restored when the permissions are restored.
- Added an automatic permissions snapshot system which will create a full snapshot of container permissions each night. Automatic snapshots are kept for 7 days by default.
- Modified the validation rules for which links appear in the Main Menu, now if the user is neither an Authoriser or someone who can provide Authorisation then the respective menu will no longer appear.
- Added a "Show Password" toggle button to the login page next to the password input field.
- Modified DC lookup behaviour if the blacklist isn't in use, which may improve performance in some edge cases.
- Added the ability to add comments in the dcblacklist.txt file by adding "#" to the start of the line, any lines starting with this character will be ignored.
- Added a Domain Controller Health Check system which will run a check of the connectivity of all DCs in the current forest during startup, and will automatically blacklist any that can't be contacted. If any are found, this will also enable a scheduled health check so that any uncontactable DCs will be allowed to be used again should they come back online. The "dcblacklist.txt" file can still be used to permanently prevent the use of individual DCs.
- Added an option to the Active Directory category called "Enable Domain Controller Caching" which is enabled by default, but now allows caching to be disabled if it is believed that will help in certain support scenarios.
- Added a tool for manually running Active Directory structure information refreshes outside of OVERLAPS ("adstructupdate.exe /?" for more information)
- Updated Portable.BouncyCastle dependency to version 1.9.0
- Updated log4net dependency to version 2.0.15
2022-01-11 - Version 188.8.131.52
- Addressed a potential security issue in the LDAPS (LDAP over SSL) implementation which could have resulted in a failover to regular LDAP under some circumstances. By design this would not happen when any sensitive information was involved (such as passwords), and even when it occurs Active Directory still encrypts internal domain communication with Kerberos. However, as with all security concerns (big or small), we recommend installing this update as a priority.
- Resolved an issue with the page handler which was causing certain features to not work correctly in some browsers.
- Fixed a bug in the AD handlers which could have resulted in a small increase of traffic to some domain controllers.
- Fixed a display issue on mobile and other small screen devices which may have caused the top menu to not display correctly.
2021-12-08 - Version 184.108.40.206
- Fixed an issue where a 0 value returned by Active Directory was being misinterpreted as a valid date, this could cause some users to be unable to login as their account appeared to have expired.
- Addressed a problem where if a full group refresh operation times out, it would clear all of the group's members. As membership is checked during login anyway this has been deemed unnecessary, so now if it times out it will simply ignore the group.
- Added a cache for container information when searching for computers to reduce the overhead (rather than looking up each computer's container information)
- Fixed a bug in the AD Structure Update where changing the MultiDomainPreference to a single domain operation wasn't clearing other domains from the database during the final merge process.
- Added the option to add a Network Delay to Two Factor Authentication, this allows for the acceptance of a valid code from a number of time epochs before or after the current one to account for time drift on users' authentication devices. RFC6238 recommends this is set to 1, but to maximise security it is currently disabled by default.
- Added a temporary workaround for sites with restricted or otherwise inaccessible domain controllers. You can now add the full name of the DC (e.g. dc01.contoso.com) to "C:\ProgramData\Int64 Software Ltd\OVERLAPS\dcblacklist.txt" (one server per line) to have OVERLAPS ignore it (service restart required). Note however that if it is subsequently unable to find any domain controllers (if they are all blacklisted for example) then OVERLAPS will fall back on relying on AD to provide an appropriate DC.
- Added the ability to restrict domain controller lookup to the same AD site as the server OVERLAPS is installed on. If this fails to locate a valid DC, it will search globally instead.
- Added a Two Factor Authentication restriction so that the same code cannot be used by a user twice during an epoch. Instead they must wait for the next epoch and use this code. This complies with RFC6238, but can be disabled if necessary through the Configuration Utility's Settings tab (Security -> TwoFactorDenyDuplicateCodes).
2021-09-23 - Version 220.127.116.11
- New Features
- Added an option to the Active Directory Structure Update schedule to only run once per day and only overnight. For large domain/forest environments who don't want performance impacting scans running during the day, this will ensure that scheduled automatic scans only occur overnight. This does not effect manually initiated scans or scans initiated when a change is detected by the AD monitor.
- Added an option to enable password caching. If enabled, all Local Administrator passwords which have changed since the last scan are collected from Active Directory overnight and recorded encrypted in the OVERLAPS database. This allows you to then view a history of a device's passwords for use when, for example, System Restore has reverted the password back to a previous state which is no longer stored in Active Directory.
- Added a "Justification" option to the container permissions. When combined with the Read permission (not Read with Authorisation), the user(s) will now be prompted to provide their reasons for accessing each password in the container before they can actually see it for auditing purposes. This information is written to the History log.
- Added action icons to the History log filter dropdown.
- Added an light and dark colour scheme options, this is set to Automatic by default which will take the theme from your browser or operating system, but can be manually toggled between Automatic, Light or Dark from your Profile.
- Reworked, unified and streamlined the password dialog handling process to allow for easier implementation of additional steps.
- Added a snapshot utility to the Permissions page so that you can take a snapshot of all permissions at that time. Snapshots can be restored at any point and will overwrite the existing permissions.
- Added an additional option to the Save Permissions window so that when applying permissions to child containers you can: Replace, which works the same as before, replacing all permissions with a copy of the current container; or Additive, which adds the permissions of the current container to those below it without removing any existing users or permissions.
- Added an option to Settings -> Security to allow you to enter a single email address which will receive Authorisation Request notifications when there are any outstanding. This can be used in conjunction with another option to prevent emails going to Authorisers so that you can use a single shared mailbox instead of each individual receiving the notifications.
- Reworked LDAP and Directory Searcher connections to allow for the use of LDAPS (LDAP over SSL). This can now be enabled in the Configuration Utility.
- Changed default Active Directory handlers to Directory Searcher for all operations and disabled backup options to improve performance. These can be manually reactivated after upgrading if needed.
- Added the ability to set the Two Factor Authentication device cache limit to 0 days, disabling the ability for users to remember their devices.
- Changed the Settings page's "Section Index" so it is sorted by the section titles instead of the order the sections appear on the page to make it easier to quickly locate a section.
- Added a setting to specify which Authenticator Apps to suggest to users who wish to enable Two Factor Authentication, and the option to add links to a custom authenticator if none of the other options are suitable. Removed all other distinct references to Google Authenticator.
- Added the ability to specify that computer descriptions should be included in a search from the main search window.
- Added the "EnableBuffering" option to Log category in the Configuration Utility's Settings tab which is on by default, but can be set to False to disable log buffering. This will increase server load, but reduces the risk of losing log information should the service close unexpectedly, it should only be used for debugging purposes.
- Updated SQLite library to version 18.104.22.168
- Added a button to the Settings section of the Configuration Utility on each row where encrypted data is held, allowing you to clear the data.
- Added a new tab to the Configuration Utility where you can more easily configure your Active Directory LDAP ports, LDAP over SSL, and clear the entered Active Directory credentials if needed.Bug Fixes
- Fixed a minor bug in the navigation menu which was causing the Long Title customisation settings to not be used for the icon alt text.
- Fixed an overflow bug in the way user settings were being read from the database which would have eventually led to some settings not being enabled (this does not effect any current systems).
- Fixed a bug in Active Directory handling where some OUs with non-standard characters in their name may have caused the DirectorySearcher to fail to connect.
- Fixed a bug in the LDAP group membership handler which may have not picked up users in other domains in the forest when attempting to connect to the Global Catalog.
- Fixed a bug in the Computer Information dialog which was showing incorrect information for when the object was created and last modified.
- Fixed a bug in Computer Information where empty date values retrieved from Active Directory would be displayed as a date in 1601, this has been changed to display "Not Set" instead.
- Fixed incorrect column count for empty placeholder entries in authorisation request list.
- Fixed a bug when saving container Notification settings (applying to Children) as an admin which was causing an SQL logic error.
- Added a 1 minute delay to the full Active Directory Structure scan that runs on service startup (if the option is checked) to prevent too many intensive processes from running during the initial startup.
- Fixed a rare case bug in the DirectorySearcher computer search handler when verifying a computer's status and not using the GC which could misreport the LAPS password as not being set.
- Fixed an issue where navigating from some pages to the computer list would leave the previous page title in place.
- The Security Principals handler for Computer Operations has been disabled due to ongoing problems in the Windows/ADSI API which were causing "unknown error" messages when attempting to read custom AD attributes. This handler is not used at all by default, meaning most users will not be affected by this change, however anyone currently using it will be autmatically redirected to the LDAP handler instead.
- Fixed performance issues during high intensity tasks by enabling buffering in the log handler.
- Reworked some domain cache handlers and name resolution methods to better accommodate cross Forest trusts.
- Corrected MFA login page so that it now reflects the maximum device cache setting from the configuration page.
- Fixed erroneous text references to the legacy configuration file.
- Fixed the forest/domain list in the configuration page to correctly identify each forest and the domains that belong to it.
- Fixed a container list diplay issue where sorting was being done using case sensitivity.
- Improved responsive display on small screens for the computer list control buttons by switching them to a collapsible navigation bar.
- Fixed two bugs in the Configuration Utility when adding a new HTTPS binding where invisible characters could be introduced to the binding hostname either as a result of not being stripped from the certificate information or by being accidentally copied and pasted into the text field. This would have caused the initial binding query and validation to fail with a Windows API error message.
- Fixed enumeration of external forest domains for use in Multi-Forest Authentication.
- Disabled log caching during service initialization to prevent loss of debug information if the service crashes without first flushing the log.
- Improved the efficiency of computer searches when using the Directory Searcher connector by moving the retrieval of non-Global Catalog properties to a multithreaded process after all of the results have been collected.
- Removed Computer Management worker's reliance on database transactions as the tasks could take a long time to complete and could result in database locking issues.
- Removed the AD Container Update worker's reliance on database transactions to prevent database locks in environments with large or complex structures. The system will now cache and merge changes in simpler and faster operations.
- Separated the operations for looking up AD group members and updating that information in the database to prevent lengthy DB operations (only applies to the queued group membership updater).
- Fixed an issue where some users may not see the OU limit selector in the Search Refine box. This has now been unified with the dropdown shown in the Search dialog.
- Added the ability to disable triggering a group refresh when a new user logs in for situations where this causes performance issues. The setting is currently only available from the Configuration Utility under ActiveDirectory -> TriggerGroupRefreshOnNewUserLogin.
2021-04-25 - Version 22.214.171.124
- Fixed a bug where disabling the Account Expiry Check on a group wasn't being passed to the group members.
- Fixed a bug in the Self Service User Import Tool which was failing to import the computers due to a database bug.
- Fixed an issue that would arise if the stored credentials that OVERLAPS uses to query Active Directory (if set) could not be decrypted from the database which would cause problems such as preventing users from logging in. If this problem is encountered now, OVERLAPS will fall back on using the system account to query AD instead.
- Fixed an upgrade issue from older versions of OVERLAPS which would cause the upgrade to fail because it was trying to add a new column to the database twice.
- Resolved an issue in the Two-Factor Authentication library which was causing time desyncs in some environments which would subsequently generate incorrect codes and prevent user logins.
- Added an alternative group member refresh method which queues operations rather than attempting to run them immediately. This can help in slower network environments or where group refresh conflicts are occurring.
2021-03-09 - Version 126.96.36.199
- Added an expiry property to Self Service computers so that they can be removed after a given time. Note this is not compatible with Self Service users using the AD Managed By property.
- Added the ability to change the maximum amount of time that a device remembered during Two Factor Authentication will be kept before requiring another TFA code. This is 30 days by default.
- Added a per-user setting to disable account expiry checks during login. This is intended only for cases where the account is being misreported as expired by Active Directory, if the account is properly disabled or expired then login will still be denied.
- Added top-level child or sibling domains to the "Limit results to" list in the Search window so that computer search results can be more easily limited to a single domain if needed. This can help improve search performance in environments with a lot of domains in the forest. Note that the root domain is not listed as this will automatically search all subdomains.
- Replaced user status indicators (Edit Settings, Self-Service, Two Factor Authentication Enabled, etc) with icons to save space after adding another possible value. The meaning of each icon can be seen by clicking it to show a reference key.
- Fixed an error in the Self-Signed Certificate Generator tool which would happen if a custom value was entered instead of selecting a country from the list. Custom Two-Letter (ISO3166) country codes are now supported.
2021-02-03 - Version 188.8.131.52
- Removed checks for the "PASSWORD_EXPIRED" flag in the userAccountControl property of a user object during login. This is a legacy Windows Server 2003 setting and no longer accurately reflects an expired password. This has been replaced by checks against the pwdLastSet property instead.
- Fixed a bug in domain validation process which was defaulting to the forest's root domain even if that was disabled in the configuration.
- Fixed a group lookup bug in the Principal domain handler which was failing to fall back on authorisation groups.
- Fixed a time conversion bug when reading properties from Active Directory.
- Disabled the use of Security Principals for finding the groups that a user is a member of as AD was returning erroneous results when searching for nested groups, and because it tended to be very slow. The other two handlers are used in its place as needed.
- Removed the use of the Global Catalog when checking a user's groups as it was not returning consistent results and could lock out valid users.
2021-02-01 - Version 184.108.40.206
- Added a "Session Cookie Timeout" setting to the Host configuration page.
- Added a GUI utility for quickly generating Self Signed certificates for HTTPS support where a third-party or in-house CA isn't available or desirable. The new tool is available from the Start Menu.
- Added a command-line utility for testing your HTTPS setup and certificate validity (sslinfo.exe).
- Added a new option to the "https" section of the olconfig CLI utility, the "/unbind" parameter now allows you to delete existing certificate bindings from the command line.
- Added exit codes to failures in olconfig command line operations for improved automation support.
- Updated Bouncy Castle library to version 1.8.9.
- Fixed a bug in the HTTPS redirect handler which was not handling IPv6 redirects correctly.
- Fixed a bug which could occur if the user's browser didn't send an agent name.
- Fixed a bug in the login process which was failing to get the ID of valid group members from the database under certain circumstances, causing login to fail.
2021-01-14 - Version 220.127.116.11
- Important: Please note that in the interest of consistency and maintainability, we will no longer be distributing offline PDF versions of the OVERLAPS documentation. To access the setup and usage guide from now on, please visit: https://int64software.com/overlaps/docs/
- Added the ability to retrieve Bitlocker recovery keys from Active Directory. For now this is enabled under the Active Directory -> Workarounds setting by checking the "Allow users with the Read Computer Information permission to access Bitlocker Recovery Keys", in the future this may be moved to its own specific container permission.
- Added a rate limit to the Two Factor Authentication processor to prevent users who have passed the initial login process from brute forcing the two factor code. Currently this is limited to a maximum of 5 failures in a 30 minute period.
- Migrated logging library to use log4net to improve performance, reliability and to make future changes/additions easier.
- Added a History item for viewing a computer's extended information.
- Improved handling of history type information to make it easier to expand with additional events in the future.
- Categorised event types for the Windows Event Log section in Settings to make it easier to read.
- Added a search button within the computer list to allow users to quickly limit their search results to the current OU and its descendents
- Added a global option for limiting search results by default to a particular container (and its children). This can be overriden by users when performing their search.
- Refactored a lot of project interdependencies to reduce unnecessary references and improve program flow.
- Fixed an issue with disabled Computer Management Tasks still showing in the More Actions list for administrators.
- Fixed a bug which was causing the Remove User button to remain enabled even if no users were selected.
- Fixed a bug in the Search window which meant that the suggestion box didn't close when the input lost focus.
- Fixed a bug in the Configuration Utility which was looking for a specific error message when checking if a certificate requires a password, but not taking OS language settings into account.
- Added additional checks when validating results from AD for LAPS properties and increased logging information to aid in debugging.
- Fixed some minor translation errors.
2020-11-22 - Version 18.104.22.168
- Resolved a timing issue in the Two Factor Authentication keyboard handler which could result in the first input being cleared after pasting a 2FA code on some systems.
- Fixed a bug in the command line configuration tool's HTTPS binding system which may have caused it to install the certificate in the wrong store.
- Removed client certificate validation from HTTPS binding as this was causing some browsers to prompt users for a certificate when negotiating TLS sessions.
- Added a command to the olconfig.exe command line tool: "olconfig.exe https /disableclientcertcheck" to update existing bindings which are prompting users for a certificate when navigating to OVERLAPS. This requires a server restart to take effect.
2020-11-17 - Version 22.214.171.124
- Fixed a bug introduced in 126.96.36.199 which broke the ability to paste your code into the Two Factor Authentication form
- Fixed an input filtering bug in the Two Factor Authentication handler which would reject a valid code if it started with a leading zero
2020-11-16 - Version 188.8.131.52
- Fixed issue with Two Factor Authentication (2FA) on Android devices where it wouldn't accept the code being input.
- Changed 2FA inputs to number inputs to improve support on mobile devices
- Fixed display issues on small screen devices
- Removed the Management menu item if no Computer Management tools are enabled
- Fixed a cookie issue with Firefox for Android
2020-11-11 - Version 184.108.40.206
- Fixed a minor bug in the Principal Object protocol for computer queries which was incorrectly showing an alert about the computer's password not being set.
- Fixed a bug in the LDAP computer lookup which was returning an incorrect total number of devices, causing problems with pagination in containers with a lot of computers.
- Fixed an issue where group members weren't able to see the results of their Computer Management tasks in the Management page.
- Fixed a bug in the computer list pagination which was causing page 1 to start at item 1 when it should be 0-based.
2020-11-09 - Version 220.127.116.11
- Fixed a critical security bug in the Directory Searcher authentication protocol. This protocol is not used by default, but in some environments the bug could allow some users to authenticate incorrectly.
2020-11-06 - Version 18.104.22.168
- Fixed an issue where Self Service users who had the Managed By option set couldn't have distinct Authorisers.
- Fixed a bug where Self Service users who had the Managed By option set weren't listed as Self Service users in the User list.
2020-10-30 - Version 22.214.171.124
- Fixed a bug in the LDAP handler responsible for connecting to the Global Catalog which may have resulted in slower group membership lookups in some environments.
2020-10-30 - Version 126.96.36.199
- Changed the Active Directory enumeration process to include generic containers (such as the default Computers container) as well as Organizational Units.
2020-10-23 - Version 188.8.131.52
- Fixed a database initialisation issue on fresh installs.
- Fixed a minor bug in IPv6 address handling.
2020-10-22 - Version 184.108.40.206
- Added the option to write History Log events to the Windows Event Log for collection by SIEM products.
- Added additional Computer Management Tools: Restart Computer(s) and Shutdown Computer(s). As with the Group Policy Update tool, WMI must be configured and the OVERLAPS server given permission to use it (see the Administrator's Guide). Once the are enabled and users are given permission to use them, they will then have the tools listed under "More Actions" in the computer browser.
- Added a confirmation prompt to some tools, and support for per-tool-instance settings which can be entered by the user (Restart timeout, comment and whether to force the operation or not for example)
- Added a system setting "RestartOnXHealthCheckFails" under the "WebHost" category. If given a positive non-zero number, a failure to query the web page during the Service Health Check process more than this number of times will automatically initiate a service restart. This can currently only be enabled by editing the setting directly through the Configuration Utility.
- Fixed a display issue on mobile devices where the computer name was not being displayed in computer lists.
- Fixed a bug in the Computer Management handler which could cause the results of the task to not be written to the History Log.
2020-10-04 - Version 220.127.116.11
- In the LAPS Debug screen added the ability to specify a username and password (leave blank to use the OVERLAPS default).
- LAPS Debug can now also accept the distinguished name of a particular computer to test. It also outputs more information from the scan results.
2020-10-01 - Version 18.104.22.168
- Added a per-user setting to disable the ability to Browse Active Directory containers to find computers. If this is set for a user then they will only be able to find computers that they have been granted permission to by searching for them instead.
- Tweaked log backup behaviour
- Changed host address handling process. By default, the DNS hostname and IP address(es) of the server were always being used, with additional addresses (from the certificate binding process) being recorded and read from the host.config file. Now all host addresses are recorded in host.config (including the IP and DNS hostname of the server by default) and only these entries are used. This allows for greater control over the host configuration, as you can stop OVERLAPS from listening on the IP address and/or DNS hostname if required. Care should be taken when modifying the host.config file as it could stop OVERLAPS from working, also be careful when adding an IP address if it is not static, as the system will automatically validate and ignore IP addresses it finds that are no longer registered to the server.
- Added a Host tab to the Configuration utility to allow easier configuration of the host.config file.
- Replaced the HTTPS configuration tab in the Configuration Utility with a more advanced solution to allow greater control over individual certificate bindings. If needed, the old tab can still be enabled by clicking the "Show Legacy HTTPS Configuration Tab" button on the Introduction tab.
- Added the ability to cancel the process when enabling Two Factor Authentication in case the user accidentally clicks through without scanning the QR Code or copying the Manual Code. Note that this does not work when enforcing TFA, and any users effected will need to have an Administrator reset their Two Factor code if they fail the registration process.
- Added clarification to the Save Permissions modal confirming that OVERLAPS permissions are distinct from AD permissions, and saving will have no effect on Active Directory itself.
- Added "/start" and "/end" date parameters to the History Report tool so that you can now export a range of dates.
- Fixed two minor bugs in the Configuration Utility which was causing it to disable the "View the OVERLAPS Setup Guide (PDF)" button, and was also failing to open the PDF.
- Added a post-upgrade operation handler to enable more fine-grained handling of sensitive systems which may change between program versions.
- Slightly altered the look of the Edit User Access Levels dialog to improve readability.
- Added the ability to specify a Self Service request authoriser in the Self Service configuration for a user, this is an alternative to granting container-wide Authoriser permissions. The authoriser user/group must also be a member of OVERLAPS first.
2020-09-17 - Version 22.214.171.124
- Improved key persistence handling when binding certificates to OVERLAPS for SSL/TLS encryption to help resolve issues with HTTPS connections failing after an indeterminate amount of time.
- Fixed a minor bug in the service health check system.
2020-09-11 - Version 126.96.36.199
- Fully reworked certificate binding system to remove reliance on NetSH and to make requests directly to the Windows HTTP API instead.
- Re-enabled enumerating users from other domains in groups, however for now this is only supported if Multi-Forest Authentication is disabled. This may also not work with the Security Principal access method, but should with both LDAP and Directory Searchers.
- Added a password prompt when loading a certificate in the Configuration Utility if one is required.
- Added functionality to automatically add wildcard certificates to the hostname list in the HTTPS section of the Configuration Utility.
- Fixed a bug in the Licence Required page which was preventing it from being displayed when a licence file is not found.
- Fixed a bug in the host.config file handler which may have resulted in multiple host names appearing on a line, causing the service to fail to start. Additional validation has also been added when reading the file to reduce the possibilities of failure due to invalid or corrupt data appearing in the file.
- Fixed a minor bug with an error being logged when looking for computer objects when browsing the root of the domain.
- Fixed a bug in the AD Structure Update operation which wasn't properly updating the Distinguished Names of child containers when a parent was renamed.
- Improved error handling in the Management Worker.
- Fixed a bug on some systems where a breaking or invisible character was being added to command line utilities, which stopped them from functioning.
- Fixed a bug in the Program Update checker on non-internet connected servers which could have resulted in pages not loading.
2020-08-28 - Version 188.8.131.52
- Fixed a bug which was causing the Active Directory credentials to be reset when saving settings, and caused an error in the configuration utility.
- Fixed a bug when adding groups.
- Added additional performance monitoring metrics.
2020-08-27 - Version 184.108.40.206
- Fixed minor bug in select all handler in Users and Groups
- Corrected issue with LAPS Debug failing to read the LAPS schema
- Added a daily check to make sure the Windows Firewall allows inbound connections to the OVERLAPS ports (if it is enabled).
- Added the ability to enable Active Directory query performance measuring for debugging purposes.
- Limited the number of results returned when searching for Active Directory users to add (Users and Groups) to improve performance in environments with a large number of users/groups.
2020-08-26 - Version 220.127.116.11
- Added the ability to bind HTTPS certificate to multiple hostnames. This can be useful for cases where the certificate doesn't match your hostname, such as with wildcard certificates.
- Made it so that when you are binding a certificate, if a binding exists for a specified hostname or ip address, then the binding will be removed and re-applied.
- Added support for remote management connection handling.
- Changed User Security Principals group lookup to check all groups, not just security groups
- Fixed problem with log signature not reading the program's digital signature properly and reporting that the file was not signed.
- Increased ajax request timeout from 15 seconds to 2 minutes to allow for slower environments.
- Added the ajax request timeout value to the Host settings page to allow it to be changed if needed.
- Fixed issue where select-all checkbox wasn't working when content was being loaded dynamically.
- Fixed password and expiry column alignment issues in search results.
- Added a clearer indication that a search is occurring in autosuggest inputs.
- Made sure all JSON ajax calls will now properly report an error message if the request times out.
- Added program update notification options to the Profile page. If enabled, when a major (x.x) or minor (x.x.x) update is detected, the user will receive a popup window telling showing them the release notes. This will only popup once per user until another update is detected.
- Retired legacy CLI database upgrade tool as it has been superceded by the GUI.
- Migrated all config.xml settings into the database and retired the config file. This will make it much easier for us to add new options and retire legacy ones in the future.
- Updated the Configuration Utility to read/write configuration settings from the database instead of the old config.xml file.
- Fixed a minor bug where domain roots were being identified and queried by their LDAP path instead of distinguished name
- Cached a list of available domains instead of refreshing dynamically. This can improve performance, particularly in environments with multiple off-site domains.
- Added the ability to enable/disable the use of specific domains from the Active Directory settings. All domains are enabled by default.
2020-08-10 - Version 18.104.22.168
- Added additional debug logging
- Improved the handling of a rare error that occurs when the same user is added to the database more than once at the same time.
- Partially fixed Windows Integrated Authentication problem not allowing the users to logout, the solution works in all tested browsers except for Firefox for which we are still seeking a solution.
- Improved error handling in Active Directory connectivity which could have caused an entire process to fail if an error was encountered on a single element of the process.
- Replaced leftover LDAP requests in the Directory Searcher handler so that all requests are now unified under their appropriate handlers to maximise support for different AD environments.
- Refactored Active Directory structure scan to improve stability and provide extra information if a problem occurs.
- Added an Active Directory monitor which periodically checks for changes to the AD structure and schedules an AD structure update if needed. This should help OVERLAPS stay up to date in rapidly changing environments, however due to potential for excessive structure updates, this will still only run once every half an hour to allow for delays in replication.
- Improved error and output handling of lapscheck_system.exe
2020-08-05 - Version 22.214.171.124
- Added hostname bindings to webhost to support certificates which do not have IP address alternate DNS entries
- Made sure Self Service Managed By users raised the correct type of Authorisation Request when appropriate
- Improved Browser treeview handling so that previously selected container siblings that the user has permission to are also shown
- Fixed a bug in the password view where the Authorisation expiry was only showing the time component.
- Added an option to require View History permission before a user can setup notifications on containers they have access to.
2020-08-04 - Version 126.96.36.199
- Fixed bug in Configuration Utility not correctly pre-populating HTTPS section if using a non-standard port.
- Fixed bug in 301 redirect when using non-standard ports.
- Resolved an issue where the first AD scan would not generate the correct parent/child relationships between containers.
- Fixed a bug where group authorisors weren't able to review their pending authorisation requests.
- Computer Management
- Added the ability to specify expiry date/time when expiring passwords. This can either be enabled globally for all users with the Expire Passwords permission or per-user via their User Access Levels. This cannot currently be enabled for users who need to submit Access Requests to expire passwords though.
- Added a computer information modal for viewing additional information about a computers Active Directory properties. A new per-container permission has been added to allow users to view this.
- Added the ability to edit the description of a computer object in Active Directory. The OVERLAPS server must have the "Write Description" permission in AD. A new per-container permission has been added for this ability.
- Added Computer Management capability including separate per-container permissions and Management page for viewing the results of your recent Management tasks. Each tool must be manually enabled from the Site Settings page.
- Added a Computer Management task to ping computers from OVERLAPS
- Added a Computer Management task to run a remote Group Policy update on computers from OVERLAPS
- Added the ability to enter one or more alternative email addresses when creating a notification (so it can go to a distribution group for example). By default, to prevent abuse, the addresses are limited to known domains (current domain, other domains in the forest, and domains in other trusted forests), this can be configured from the Email Settings page.
- Added the computer control buttons (bottom of the computer list) to the top of the page as well for easier access.
- Fixed issues with the computer select checkboxes not working for some search results
- Reworked computer search feature to resolve an issue with the sorting mechanic
- Updated container permissions so that anyone with a valid permission to a container can now view the computers in that container. So users don't need permission to read computer passwords if they just need access to the computer's information, or to run a ping on it.
- Added missing notification when a Authorisation Request for a computer password reset is authorised.User Management
- Added a tool for bulk importing Self Service users and their computers from a CSV file.
- Add ability to enforce 2FA, when enabled users will be prompted to scan a QR code and then enter the code in their authenticator app before they can proceed.
- Changed the LDAP and Directory Searcher so that when searching for a new domain user to add to OVERLAPS they will now also search by Display Name as well as the sAMAccountName as was the previous behaviour. To avoid creating duplicate queries, the Principal search has not currently been updated to do the same.
- Changed Add User handling so that if the auto-suggest is unable to find the user in Active Directory, it will now attempt to use the entered username to find the user instead.Self Service
- Added Authorisation System to Self Service users, now each computer can be tagged to require a nominated authorisor for that AD container to authorise a request before the user can access the password. A new permission "Authorise Self Service" has been added to accommodate this.
- Applied Rate Limits to Self Service users
- Fixed an issue when saving the Self Service settings for a user without adding any computers (just setting the Managed By property).
- Fixed an issue where Self Service users may still have seen the "Browser" button in their menu, which would then show an error if used because they don't have permission to access any containers.Profile
- Added a list of notifications the current user is subscribed to to the Profile page with ability to remove themLanguage
- Added German, French, Spanish and Italian machine translations (provided by DeepL). More languages to follow.Configuration
- Fixed a bug when saving Auto Reset values which was failing the valid values validation process.
- Added the ability to search the configuration file in the Configuration Utility
- Added the ability to unbind certificates from the Configuration Utilty when there is one already bound to the selected hostname / IP address
- Added certificate store option to Configuration Utility to fix a problem where official third-party certificates (e.g. Thawte, LetsEncrypt, etc) need importing into Trusted Root Certification Authorities whereas Self Signed certificates need to go into the Personal store.
- Added the ability to give Organizational Units an alternative Display Name. This allows you to give containers friendlier designations for end users.
- Fixed an issue where it wasn't possible to grant group members permissions to containers individuallySystem
- Unified page handling for login and two-factor authentication entry pages
- Changed default behaviour so that the webhost will failover to a wildcard binding in rare cases where no IP addresses can be found on the server. As this presents a possible surface of attack, administrators will receive a warning about this on the Host settings screen advising them to set the IP address manually.
- Fixed a main menu display issue on small screen devices
- Added the LAPS Active Directory Checker tool ("lapscheck.exe") for scanning a particular OU or computer object to test their LAPS relevant permissions and access to the LAPS properties. This can be passed a username and password for checking different accounts, or use the "lapscheck_system.exe" tool to run it as NT AUTHORITY\SYSTEM to simulate OVERLAPS's default setup. See lapscheck.readme.txt for more information.
- Added support for LDAP and Security Principals for computer operations (on top of existing Directory Searcher) for increased compatibility across environments.
- Changed user authentication over to using the defined primary/fallback methods as used by other user queries
2020-06-09 - Version 188.8.131.52
- Added a LAPS Debug section to the config screen. This can be used to scan a given Organizational Unit's permissions for users/groups with Read/Write permissions to the LAPS properties ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime
- Added an Active Sessions view to the config screen to improve ability to monitor users and check for security issues.
- Added user display name information to help avoid errors with similar usernames
- Added option to enable Multi-Forest Authentication so you can now add users and groups from other trusted forests to OVERLAPS to allow them to login and view/manage computers in your local forest.
- Added the ability to specify the hostname/URL and service account name in the COnfiguration Utility's Kerberos section. This will default to the hostname of the server and its LOCAL SYSTEM account, but can be changed for FQDN URLs or alternative service accounts.
- Reworked session verification
- Fixed a bug in calls to NetSH on non-English operating systems which was causing it to return failure
- Fixed a bug in "olconfig.exe" which was causing the Kerberos query/setup commands to fail due to an unexpected condition in the CLI handler.
2020-06-01 - Version 184.108.40.206
- Fixed a bug which was causing the new Edit Self Service permission to not properly replicate to group members.
- Added a delay to the Self Service computer lookup script to improve performance and reduce the risk of it becoming overwhelmed by fast data entry.
- When no upper limit is specified for computer lookup operations (ComputerADQueryMaximumResults in the config file), the Self Service lookup will automatically limit the results to a maximum of 250 devices to prevent huge result sets from being returned.
2020-05-31 - Version 220.127.116.11
- Applied the ComputerADQueryMaximumResults limit to the Self Service computer lookup query
- Added separate permission "Edit Self Service" for users who can manage the self service computers accessed by other users and groups, but do not have permission to edit any other settings.
- Added US English language pack
- Added System Language selection option to Customisation section of Configuration page.
- Fixed a bug in the cookie handler which could rarely create a session ID mismatch
- Fixed a bug in the system language loader which was overwriting the configuration-set system language override.
- Added a timeout to worker thread cleanup process to prevent service hangs
2020-05-30 - Version 18.104.22.168
- Added the ability to modify Self Service computers for individual group members
- Fixed a bug in the self service list population for group members
- Fixed an incompatibility which was stopping clipboard function from working on IE and some other specific versions of browsers
- Changed it so that self service container distinguished name is updated if an AD container is moved or renamed
- Fixed problem in AD structure scan where renamed containers weren't updating their distinguishedName or path
- Updated cookie handler for compliance with Google's SameSite policy
- Updated Clipboard.js library to 2.0.6
- Updated Boostrap to version 4.5.0
- Updated jQuery to version 3.5.1
2020-05-29 - Version 22.214.171.124
- Fixed a typo in the Self Service configuration modal
- Fixed an initialisation bug on first installs which may have prevented group membership checks to fail until the service is restarted once
- Added a clearer error message when attempting to bind an SSL/TLS certificate to a hostname which already has one
- Added a status identifier and success message to HTTPS certificate binding tab in the configuration utility
2020-05-25 - Version 126.96.36.199
- Added IP address information to history log for auditing purposes.
- Added a new command line tool: historyreport, which allows you to export history data to either a CSV, PDF or RTF report for auditing purposes.
- This is a rollup update which consolidates all of the hotfixes included in the recent minor updates.
2020-05-15 - Version 188.8.131.52
- Fixed a bug in the Rate Limit calculations for group members and improved the method of combining Rate Limits for members of multiple groups.
2020-05-14 - Version 184.108.40.206
- Changed Two Factor Authentication (2FA) handling so that changing the identifier no longer requires all user accounts to have 2FA disabled.
- Increased 2FA key length for improved resilience (users will need to disable/re-enable 2FA to make use of this)
- Fixed a typo in 2FA enable window
- Added the ability to disable 2FA on individual group members
2020-05-11 - Version 220.127.116.11
- Fixed a bug in the Self Service (SS) Managed-By handler which may have caused computers to not be populated for some SS users in some environments.
2020-05-08 - Version 18.104.22.168
- Changed licence handling so that a service restart is no longer required after installing you licence file.
- Fixed a bug where in Two-Factor Authentication (2FA) remembering your current device was being carried over when disabling and re-enabling 2FA.
- Added the ability to change your identifier in the Authenticator app for 2FA to support sites with multiple installs of OVERLAPS.
- Added a GUI-based database upgrade tool to the installer
- Added a GUI configuration tool
- Added an option to display a larger password dialogue to improve support for configurations which use LAPS generated passwords of 27 characters or more.
- Logging will now automatically default to Verbose for 1 week after installing any update to aid in debugging any problems that occur.
- Restored homepage authorisation handler to add additional logging around authorisation failures.
- Added more explanatory error information around authorisation failures.
2020-04-28 - Version 22.214.171.124
- Added additional service shutdown checks during upgrade process to minimise the possibility of encountering file or database locks.
- Improved handling of service shutdown while management workers are performing lengthy tasks.
2020-04-09 - Version 126.96.36.199
- Fixed the link back to OVERLAPS in Authorisation Request emails.
- Removed the required property from the SMTP server's username and password values for internal servers which do not require authentication.
2020-04-08 - Version 188.8.131.52
- Fixed an issue with Active Directory usernames which contain extended ASCII characters.
- Added the option to allow Self Service users to read the passwords of any computers which they are listed as the manager of with the "Managed By" property in AD.
2020-04-03 - Version 184.108.40.206
- Fixed a computer search issue when the LAPS properties could not be read.
- Made changes to the Log Level setting apply without the need for a service restart.
2020-03-31 - Version 220.127.116.11
- Fixed an issue which was causing problems in domains which used a hyphen in one of their Domain Components (DC)
- Fixed an issue when logging out after logging in using WIA
- Fixed a minor security reporting flaw in dynamic content loader
- Implemented a new database backend
- Added Phonetic Alphabet display for passwords
- Added Two Factor Authentication support
- Implemented an Authorisation Request System
- Implemented a new Notification system
- Refactored permissions system to be per-container rather than per-user
- Removed root container requirement
- Improved auditing
- Added IP address binding
- And more...
- Added an automatic update checker for systems where an internet connection is available. When an update is detected,"Update Available" text is added to the footer with a link to the update information.
- Restricted maximum number of pages shown in computer browser's pagination element to prevent cases whereit would extend beyond the width of the screen in containers with thousands of computer objects.
- Added pagination to search results to improve performance in data sets with a large number of results.
- Replaced full page refresh on computer browser pagination with AJAX data load.
- Adjusted computer event handler so that they would continue to work in an Ajax loaded data container.
- Added Automatic Password Reset function
- Added licensing system
- Removed prerequisite installation bundle to simplify download list
- Digitally signed all relevant executables, DLLs and installers
- Fix for Kerberos enforced encryption
- Removed restriction on enabling HTTPS from the trial
- Added support for Multiple Domain Forest environements
- Improved handling of Security Groups
- Increased limits of DOS protection to allow for larger domains
- Added DOS protection settings to config file to further allow these limits to be increased if needed
- Implemented automatic configuration file backup when changes are saved
- Added additional action auditing entries to the history log
- Added User Rate Limiting system
- Added ability to specify separate LAPS credentials instead of relying on the account that the OVERLAPS service is running as
- Improved memory management in the Session Manager
- Fixed minor display issues on niche mobile browsers
- Fixed issue in login process for users of international keyboards