Tech Tips

Local Administrator Password Solution (LAPS) is a Microsoft product that manages the local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL.

How to implement LAPS

Step 1: Add Active Directory Domain Services (ADDS) Role

Step 2: Add one client computer to the domain

Step 3: Download the LAPS installation link from the link https://www.microsoft.com/en-us/download/details.aspx?id=46899

Step 4: Install the LAPS.x64.msi file

Step 5: Select the following services to install

• AdmPwd GPO Extension
• Management Tools
  • Fat Client UI
  • PowerShell Module
  • GPO Editor templates

Steps 6: Creation of shared folder to store the client .msi files. This folder should be accessible from client machines.

Step 7: Creation of group policy

Step 8: Right click on LAPS_INSTAL -> and software installation under computer config-> polices -> software settings-> software installation

Step 9: Right Click -> New -> Package

Step 10: Choose the shared folder that you created. The file LSPD.x64.msi should be available in the shared folder.

Step 11: Right Click on the local administrator package and click on properties

Step 12: Select the Deployment tab and select the option “Uninstall this application when it falls out of scope of management.”

Step 13: Select the Security tab and add Domain Computers Group to access the package for client machine.

Step 14: Open command prompt in administrator mode and run gpupdate/force command. Once the gpupdate is executed, we would see the LAPS software on the client machine.

Step 15: The next step is to update the AD schema on the server. The following script needs to be executed.

          Import-module AdmPwd.ps

          Update-AdmPwsADSchema

          Set-AdmPwdComputerselfpermission –OrgUnit LAPS
          This command provides permission to the client machine which is in LAPS OU

Set-AdmPwdReadPasswordPermission –OrgUnit LAPS –AllowedPrincipals LAPuser1

This command is to provide read permission for LAP user which is in LAPS OU

Set-AdmPwdWritePasswordPermission –OrgUnit LAPS –AllowedPrincipals LAPuser1

This command is to provide write permission to reset the password for the local admin account of domain joined computers

Find-AdmPwdExtendedRights –identity “LAPS”

This command allows you to find users having extended rights

Step 16: Group Policy – Create a new GPO as shown in the below figure.

Step 17: Edit the Group Policy

Step 18: Open the Group Policy Management Editor -> Policies -> Administrative Templates -> LAPS

Step 19: Enable local admin password management -> Click the enabled option and Save

Step 20: Enable the password setting and set the password length and password age.

Step 21: Update the GPO policy by running the below command on PowerShell

Gpupdate / force

Step 22: Change the local admin password by running the PowerShell

Get-AdmPwspassword –computername Client1

The below figure shows the specific computer’s local admin password.

We can also use LAPS UI which is available in this path C:\Program Files\LAPS

Step 23: Double click the application and the below screen will allow you to see the password

Step 24: Click on Search button and the application will show local admin password. The below screen also shows the password expiry date and the time.

At Velan, our server support engineers can help you setup Local Administrator Password Solution (LAPS) for your environment. We troubleshoot problems like these for our clients every day. If you are interested in our service, please fill the Quick connect form to get in touch with us