Microsoft LAPS is one of the solutions to prevent the issues, The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read them or request a reset. Today, I am going to show you how to deploy it.
Prerequisites
Supported Operating System: Windows Server 2019, Windows Server 2008, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows Server 2003, Windows Server 2008 R2, Windows Server 2012, Windows 7, Windows 8, Windows Vista, Windows 8.1, Windows Server 2022
• Windows 2003 SP1 or later.
Managed machines:
• Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.
Note: Itanium-based machines are not supported.
Management tools:
• .NET Framework 4.0
• PowerShell 2.0 or later
Step 1: Download LAPS
You can download Microsoft LAPS Package from https://www.microsoft.com/en-us/download/details.aspx?id=46899
2. On the Choose the download you want page, select LAPS.x64.msi, and click Next.
3.Login to the target computers which will update the local administrator password.
4.Run LAPS.x64.msi file. (You need to run this as administrator).
5.On the Welcome page, click Next.
6.On the End-User License Agreement page, select I accept terms in the License Agreement, click Next.
7.On the Custom Setup page, deselect AdmPwd GPO Extension and select Management Tools. If you also managing the local administrator account of the management server, you also need to install AdmPwd GPO Extension. In my case, I am installing it in a Domain controller so I do not need it.
8.Click Next.
9.On the Ready to install Local Administrator Password Solution page, click Install.
10.On the Completed page, click Finish.
Once this is done, we need to Active Directory schema to support Microsoft LAPS
11.Open PowerShell as Active Directory Schema Administrator.
12.Run below cmdlet.?
1 | Import-module AdmPwd.PS |
13.Run below cmdlet to update the schema.?
1 | Update-AdmPwdADSchema |
14.Verify two new attributes in the computer object after schema update.?
123 | ms-Mcs-AdmPwd – Save the administrator password in clear text. ms-Mcs-AdmPwdExpirationTime – Save the timestamp of password expiration. |
These values will be updated once we finish the rest of the configuration.
During the password update process, the computer object itself should have permission to write values to ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes. To do that we need to grant permissions to SELF built-in account.
15.Open PowerShell as Domain Administrator.
16.Run below cmdlet to change computer object permissions.?
1 | Set-AdmPwdComputerSelfPermission -OrgUnit Servers |
Servers is the OU I created for all the machine objects.
17.Creating a new security group and assign users as member of this group, the users of this security group have permissions to view the passwords for local administrators.
18. Before we assign permissions, run the below cmdlet to see who had privileges to view the passwords by default
Import-module AdmPwd.PS
Find-AdmPwdExtendedRights -Identity Servers
We noticed extended permissions are only applied to the Domain Admins group. It means a local administrator password for a computer object in Servers OU, can only access by a domain admin account.
19. Run the below cmdlet to add extended permissions to LAPSAdmins security group
1 | Set-AdmPwdReadPasswordPermission -Identity Servers -AllowedPrincipals LAPSAdmins |
20. Run the below cmdlet to verify extended permissions to LAPSAdmins security group.
1 | Find-AdmPwdExtendedRights -Identity Servers | fl |
21. Creating a GPO to install LAPS agent software in managed computers.
22.Log into Domain Controller.
23. Open Group Policy Management.
24. On the Group Policy Management console, right-click Group Policy Objects, and select New.
25. Type LAPS Software Install as the new GPO name, and click OK.
26.On the Contents page, right-click LAPS Software Install GPO, and select Edit.