<p>Local Administrator Password Solution (<b>LAPS</b>) is a <b>Microsoft</b> product for managing local administrator passwords. Using LAPS passwords are stored in Active Directory (AD) and can be controlled via Group Policy.</p>
<h4><strong>Installation</strong></h4>
<p>For a start, LAPS has to be downloaded from <a href="https://www.microsoft.com/en-us/download/details.aspx?id=46899&;Search=true" target="_blank" rel="noopener noreferrer">HERE</a>. The download package contains both <strong>x86 and x64</strong> versions of <strong>LAPS</strong> along with the datasheet, operations guide, and technical specification. It&#8217;s worth saying that LAPS <strong>does not require a dedicated server</strong> as generated passwords are stored in Active Directory.</p>
<p>The following components have to be installed on the machine from which LAPS will be configured.</p>
<p><img class="alignnone size-full wp-image-3318" src="https://www.wincert.net/wp-content/uploads/2019/09/laps-installation-1-1.png" alt="" width="488" height="383" /></p>
<p><strong>AdmPwd GPO Extension</strong> &#8211; This component is NOT required if this machine won&#8217;t be LAPS managed.<br />
<strong>Fat client UI</strong> &#8211; This will install fat client UI and related files. This is needed for viewing the LAPS configured passwords.<br />
<strong>PowerShell module</strong> &#8211; This will install <strong>ADMPwd.PS</strong> module which is required for configuring permissions, Active Directory Schema Extension and command-line management.<br />
<strong>GPO Editor Templates</strong> &#8211; This will install <strong>ADMX templates</strong> that will be used to configure and deploy LAPS using Group Policy.</p>
<h4>Configuration</h4>
<p>Once <strong>LAPS</strong> is installed we have to <strong>run Powershell in elevated mode</strong> using an account that is a member of the <strong>Schema Admins</strong> Active Directory group.</p>
<p>Enter the following command in Powershell to import <strong>ADMPwd.PS</strong> module that we have installed before.<br />
<strong>Import-Module AdmPwd.PS<br />
</strong></p>
<p>In the next step, we&#8217;ll be extending the AD Schema.<br />
<strong>Update-AdmPwdADSchema</strong></p>
<p>With this done, we&#8217;ll have two new attributes visible on the properties of the computer objects in Active Directory.</p>
<p><strong>ms-MCS-AdmPwd</strong><br />
<strong>ms-Mcs-AdmPwdExpirationTime</strong></p>
<p><img class="alignnone size-full wp-image-3319" src="https://www.wincert.net/wp-content/uploads/2019/09/laps-password-2.jpg" alt="" width="237" height="39" /></p>
<p>One attribute is used for storing the administrative password, while the other one holds password expiration time.</p>
<p>Now we have to grant write permissions on both of these attributes for the SELF account.</p>
<p>Enter the following command in elevated Powershell window:<br />
<strong>Set-AdmPwdComputerSelfPermission -Identity “OU name”</strong></p>
<p>Replace &#8220;<strong>OU Name&#8221;</strong> with the name of the Active Directory Organizational Unit that contains computers or servers. For test purposes, you can do this only with one organizational unit. Later on, this command can be applied for the top-level OU or individual computers and servers OUs.<br />
<em><strong>Note: If your domain holds multiple same OU names, Distinguished Name should be used instead of &#8220;OU name).</strong></em></p>
<p>To grant permissions for a group or a user for the following OU the following command has to be used:<br />
<strong>Set-AdmPwdResetPasswordPermission –Identity “OU name” -AllowedPrincipals “AD group or username”</strong></p>
<p>If for whatever reason above command won&#8217;t work, you can delegate control to AD group or individual user to a specified OU and add <strong>All extended rights</strong> permission for <strong>This object and all descendant objects</strong> as seen in the screenshot below.</p>
<p><img class="alignnone wp-image-3326 size-full" title="How to install and configure LAPS" src="https://www.wincert.net/wp-content/uploads/2019/09/laps_extended_rights.png" alt="How to install and configure LAPS" width="964" height="608" /></p>
<p>Current permission holders with Extended rights for a specific OU can be checked with the following command:<br />
<strong>Find-AdmPwdExtendedRights –Identity “OU name”</strong></p>
<p>The only thing that we should do now is to create a GPO and link it to a specified computer or server container.</p>
<p>With this policy we can define if <strong>LAPS is enabled, name of the local administrator account that we&#8217;ll be used in LAPS policy, password complexity, password length, and password age</strong>.</p>
<p><img class="alignnone wp-image-3329 size-full" title="How to install and configure LAPS" src="https://www.wincert.net/wp-content/uploads/2019/09/laps_policy.png" alt="How to install and configure LAPS" width="1541" height="388" /></p>
<p>That should be it. Questions and suggestions are welcome!</p>

How to install and configure LAPS (Local Administrator Password Solution)
Businesswoman holding tablet pc entering password. Security concept