Local Administrator Password Solution (LAPS) is a Microsoft product for managing local administrator passwords. Using LAPS passwords are stored in Active Directory (AD) and can be controlled via Group Policy.
Installation
For a start, LAPS has to be downloaded from HERE. The download package contains both x86 and x64 versions of LAPS along with the datasheet, operations guide, and technical specification. It’s worth saying that LAPS does not require a dedicated server as generated passwords are stored in Active Directory.
The following components have to be installed on the machine from which LAPS will be configured.
AdmPwd GPO Extension – This component is NOT required if this machine won’t be LAPS managed.
Fat client UI – This will install fat client UI and related files. This is needed for viewing the LAPS configured passwords.
PowerShell module – This will install ADMPwd.PS module which is required for configuring permissions, Active Directory Schema Extension and command-line management.
GPO Editor Templates – This will install ADMX templates that will be used to configure and deploy LAPS using Group Policy.
Configuration
Once LAPS is installed we have to run Powershell in elevated mode using an account that is a member of the Schema Admins Active Directory group.
Enter the following command in Powershell to import ADMPwd.PS module that we have installed before.
Import-Module AdmPwd.PS
In the next step, we’ll be extending the AD Schema.
Update-AdmPwdADSchema
With this done, we’ll have two new attributes visible on the properties of the computer objects in Active Directory.
ms-MCS-AdmPwd
ms-Mcs-AdmPwdExpirationTime
One attribute is used for storing the administrative password, while the other one holds password expiration time.
Now we have to grant write permissions on both of these attributes for the SELF account.
Enter the following command in elevated Powershell window:
Set-AdmPwdComputerSelfPermission -Identity “OU name”
Replace “OU Name” with the name of the Active Directory Organizational Unit that contains computers or servers. For test purposes, you can do this only with one organizational unit. Later on, this command can be applied for the top-level OU or individual computers and servers OUs.
Note: If your domain holds multiple same OU names, Distinguished Name should be used instead of “OU name).
To grant permissions for a group or a user for the following OU the following command has to be used:
Set-AdmPwdResetPasswordPermission –Identity “OU name” -AllowedPrincipals “AD group or username”
If for whatever reason above command won’t work, you can delegate control to AD group or individual user to a specified OU and add All extended rights permission for This object and all descendant objects as seen in the screenshot below.
Current permission holders with Extended rights for a specific OU can be checked with the following command:
Find-AdmPwdExtendedRights –Identity “OU name”
The only thing that we should do now is to create a GPO and link it to a specified computer or server container.
With this policy we can define if LAPS is enabled, name of the local administrator account that we’ll be used in LAPS policy, password complexity, password length, and password age.
That should be it. Questions and suggestions are welcome!