Have a Question?
How to Deploy Microsoft LAPS
Tutorial on how to deploy Microsoft LAPS – Local Administrator Password Solution which provide the following
- Set a unique randomly generated password for individual machine
- Automatically change the Local Administrator Password every X Days
- View Local Administrator from Centralize Location
Install LAPS Management Tools
- Download Local Administrator Password Solution (LAPS)
- Install only the Management Tools in AD Domain Controller – **Uncheck the AdmPwd GPO Extension
Extend AD Schema
Extend the AD Schema by adding
- ms-MCS-AdmPwd – Stores the password in clear text
- ms-Mcs-AdmPwdExpirationTime – Stores the password expiration time.
Import-Module AdmPwd.PS
Update-AdmPwdADSchema
Operation DistinguishedName Status
--------- ----------------- ------
AddSchemaAttribute cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=A... Success
AddSchemaAttribute cn=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=AventisLab,DC=l... Success
ModifySchemaClass cn=computer,CN=Schema,CN=Configuration,DC=AventisLab,DC=local Success
Delegate Right to Computer objects
Delegate right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes base on OU
$OU = "OU=UAT,DC=AventisLab,DC=local"
Set-AdmPwdComputerSelfPermission -OrgUnit $OU
Verify that Domain Admins is assigned right to read the password (ms-MCS-AdmPwd) for a specific Organizational Unit (OU)
Find-AdmPwdExtendedRights -identity:$OU | Format-Table ExtendedRightHolders
ExtendedRightHolders
--------------------
{NT AUTHORITY\SYSTEM, AVENTISLAB\Domain Admins}
Deploying LAPS with GPO
Deploy LAPS.x64.msi to computers with Group Policy (GPO)
Group Policy
Configure the policies for LAPS on Computer Configuration – Administrative Template – LAPS
Configure the policies for LAPS with PowerShell
$GPO = "GPO-UAT-COMPUTER"
# Do not allow password expiration time longer than required by policy
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "PwdExpirationProtectionEnabled" -Type DWord -Value 00000001
# Enable Local Admin Password Management
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "AdmPwdEnabled" -Type DWord -Value 00000001
# Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "PasswordComplexity" -Type DWord -Value 00000004
#Password Length = 15
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "PasswordLength" -Type DWord -Value 0000000f
#Password Age Days = 30 Days
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "PasswordAgeDays" -Type DWord -Value 0000001e
Verification
Reboot the computers located in UAT OU to apply the GPO
Verify the local Administrator password of the computer is configured properly by LAPS
PS C:\> Get-AdmPwdPassword -ComputerName UAT-WIN16
ComputerName DistinguishedName Password ExpirationTimestamp
------------ ----------------- -------- -------------------
UAT-WIN16 CN=UAT-WIN16,OU=UAT,DC=AventisLab,DC=local H./4z+,e4[7$Pa) 4/6/2020 4:50:40 PM
Reference Links