How to Install and Configure LAPS? Security

Local Administrator Password Solution (LAPS) is a Microsoft product that manages the local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL.

How to implement LAPS

Step 1: Add Active Directory Domain Services (ADDS) Role

Step 2: Add one client computer to the domain

Step 3: Download the LAPS installation link from the link https://www.microsoft.com/en-us/download/details.aspx?id=46899

 

 

 

 

 

LAPS Installation

Step 4: Install the LAPS.x64.msi file

LAPS Setup

Step 5: Select the following services to install

  • AdmPwd GPO Extension
  • Management Tools
    • Fat Client UI
    • PowerShell Module
    • GPO Editor templates

LAPS Custom Setup

 

LAPS Custom Setup 2

LAPS Setup Completed

Steps 6: Creation of shared folder to store the client .msi files. This folder should be accessible from client machines.

client .msi files

Step 7: Creation of group policy

Creation of group policy

Step 8: Right click on LAPS_INSTAL -> and software installation under computer config-> polices -> software settings-> software installation

LAPS_INSTAL

Step 9: Right Click -> New -> Package

Package

Step 10: Choose the shared folder that you created. The file LSPD.x64.msi should be available in the shared folder.

file LSPD.x64.msi

LAPS

LAPS Files

Step 11: Right Click on the local administrator package and click on properties

local administrator package

Step 12: Select the Deployment tab and select the option “Uninstall this application when it falls out of scope of management.”

scope of management

Step 13: Select the Security tab and add Domain Computers Group to access the package for client machine.

Security tab

client machine

Step 14: Open command prompt in administrator mode and run gpupdate/force command. Once the gpupdate is executed, we would see the LAPS software on the client machine.

force command

Step 15: The next step is to update the AD schema on the server. The following script needs to be executed.

          Import-module AdmPwd.ps

          Update-AdmPwsADSchema

Update-AdmPwsADSchema

          Set-AdmPwdComputerselfpermission –OrgUnit LAPS
          This command provides permission to the client machine which is in LAPS OU

OrgUnit LAPS

Set-AdmPwdReadPasswordPermission –OrgUnit LAPS –AllowedPrincipals LAPuser1

This command is to provide read permission for LAP user which is in LAPS OU

Set-AdmPwdWritePasswordPermission –OrgUnit LAPS –AllowedPrincipals LAPuser1

This command is to provide write permission to reset the password for the local admin account of domain joined computers

AllowedPrincipals LAPuser1

Find-AdmPwdExtendedRights –identity “LAPS”

This command allows you to find users having extended rights

identity “LAPS”

Step 16: Group Policy – Create a new GPO as shown in the below figure.

Create a new GPO

Step 17: Edit the Group Policy

Edit the Group Policy

Step 18: Open the Group Policy Management Editor -> Policies -> Administrative Templates -> LAPS

Policy Management Editor

Step 19: Enable local admin password management -> Click the enabled option and Save

Enable local admin password management

Step 20: Enable the password setting and set the password length and password age.

set the password

Step 21: Update the GPO policy by running the below command on PowerShell

Gpupdate / force

Update the GPO policy

Step 22: Change the local admin password by running the PowerShell

Get-AdmPwspassword –computername Client1

The below figure shows the specific computer’s local admin password.

local admin password

We can also use LAPS UI which is available in this path C:\Program Files\LAPS

LAPS UI

Step 23: Double click the application and the below screen will allow you to see the password

see the password

Step 24: Click on Search button and the application will show local admin password. The below screen also shows the password expiry date and the time.

local admin password

At Velan, our server support engineers can help you setup Local Administrator Password Solution (LAPS) for your environment. We troubleshoot problems like these for our clients every day. If you are interested in our service, please fill the Quick connect form to get in touch with us

 

Credentials

Quick Connect With Us