| by TheIneptOne | No comments

Microsoft LAPS

Microsoft LAPS (Local Administrator Password Solution) solves the issue of the password management with those local user accounts across your Active Directory domain but randomizing and expiring those local password. In this post I’ll go over how to install and setup LAPS.


Installation and Configuration

Download the installer from the link above. We’ll only need the x64 package as we don’t have any x86 clients in our environment.

Run the msi and install all features; if this is the first server. For any additional servers/workstations, only install the Management Tools

In AD, create a security group to administer the local admin passwords. We’ll use LapsAdmins

Add the AD Schema Extensions by running the following commands in PowerShell

Import-module AdmPwd.PS

Add Machine Rights so the computers can update the password and expiration date of its own managed local admin password. This will need to be done on all OUs where computers will be managed.

Set-AdmPwdComputerSelfPermission -OrgUnit 'CN=Computers,DC=domain,DC=local'
 Note: If the computers are in an OU that is not default, change CN=Computers to OU=Name.  

Give read permissions to the security group to be able to read the computer passwords.

Set-AdmPwdReadPasswordPermission -OrgUnit 'CN=Computers,DC=domain,DC=local' -AllowedPrincipals LapsAdmins

Give write permissions to the security group to be able to force password resets.

Set-AdmPwdResetPasswordPermission -OrgUnit 'CN=Computers,DC=domain,DC=local' -AllowedPrincipals LapsAdmins

Check the Extended Rights permissions on the computers OU to verify no regular users have access.

Repeat these steps for each OU that hosts computers.

Find-AdmPwdExtendedRights -Identity 'CN=Computers,DC=domain,DC=local' | Format-Table ExtendedRightHolders

If any users or groups are listed that should not be, remove the Extended rights permissions for that user or group so they will not be able to see the computer passwords.

 Note: You do not need to do this step if no other users and groups need to have permissions removed. Be very careful using ADSIEdit. 
  • Open ADSIEdit
  • Right Click on the OU that contains the computer accounts that we’ll be using LAPS with and select Properties.
  • Click the Security tab
  • Click Advanced
  • Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit.
  • Uncheck All extended rights

Group Policy

Copy the AdmPwd.admx file to to the domain controller and then to C:\Windows\PolicyDefinitions and the AdmPwd.adml file to C:\Windows\PolicyDefinitions\en-US

Copy the LAPSx64.msi file to a shared folder accessible by all

Open Group Policy and create a new group policy called LAPS and link it to your Computers OU.

  • Navigate to Computer Configuration > Policies > Administrative Templates > LAPS
    • Enable the Password Settings and set the following:
      • Complexity: Leave default (Large, small letters, numbers, and special characters.
      • Password Length: 16
      • Password Age (Days): 30
    • Enable Name of administrator account to manage
      • Add Admin
    • Enable local admin password management
  • Navigate to Computer Configuration > Policies > Software Settings .
    • Right click Software Installation and select New > Package
    • Use the UNC path of the server share and select the msi file (i.e. \\server\share\LAPSx64.msi)
    • Select Assigned and click OK
    • Right click on the new policy and select Properties
      • Click on Deployment > Advanced
      • Check Ignore language when deploying this package
      • If this is the x86 version, also uncheck Make this 32-bit x86 application available to Win64 machines
      • Click OK
    • Click OK to save

Test by running gpupdate on a computer and rebooting when prompted. Once the system comes back online, LAPS should show up in Apps & Features and a DLL will be visible in C:\Program Files\LAPS\CSE.


Leave a Reply