Deploying Local Administrator Password Solution (LAPS) in Active Directory

Local Administrator Password Solution (LAPS) is a free tool from Microsoft that allows you to manage local administrator passwords on domain-joined computers. The LAPS agent is installed on domain computers and automatically (according to a specified schedule) changes the password of the local administrator to a randomly generated one. Computer passwords are stored in protected attributes of Computer objects in Active Directory.

In this article, we will show how to install and configure LAPS in Active Directory domain running on a functional level Windows Server 2016.

Installing LAPS Management Components

First, you need to install the LAPS components on the Active Directory administrator computer. Download LAPS version for your Windows version. In our example, we will install LAPS.x64.msi.

local administrator password solution

Run the LAPS.x64.msi file. MSI installer will prompt you to install the following components:

  • AdmPwd GPO Extension — this is a LAPS agent that need to be installed on all computers;
  • Fat Client UI — GUI tool for viewing the local administrator password;
  • PowerShell Module — allows you to manage LAPS using PowerShell;
  • GPO Editor templates — admx/adml GPO templates for configuring LAPS.

local admin password solution

Extending the Active Directory Schema for the LAPS

LAPS uses two new AD attributes to store its data. The ms-Mcs-AdmPwd attribute stores the password, and the ms-Mcs-AdmPwdExpirationTime attribute contains the password expiration time. For these attributes to appear on computers in Active Directory, the schema must be updated.

Open a PowerShell console under admin account, which is a member of the Schema Admin group. Import the PowerShell LAPS module:

Import-module AdmPwd.PS

Extend your Active Directory schema:

Update-AdmPwdADSchema

laps active directory

In this example, we will apply LAPS policies to a single OU with computers in AD. Check which AD groups are allowed to access LAPS attributes:

Find-AdmPwdExtendedrights -identity

“OU=Computers,OU=Rome,OU=IT,DC=theitbros,DC=loc” | Format-Table

This command will return a list of accounts and groups that are allowed to view the passwords of computers in AD.

In our example, only NT AUTHORITY\SYSTEM and THEITBROS\Domain Admins have access to ExtendedRightHolders.

laps local admin

If you need to delegate the permissions to view computer passwords to other users, use the command:

Set-AdmPwdReadPasswordPermission -OrgUnit “OU=Computers,OU=Rome,OU=IT,DC=theitbros,DC=loc” -AllowedPrincipals it_adm_viewer

Then you need to allow computers to change the values of their own attributes in AD:

Set-AdmPwdComputerSelfPermission -OrgUnit “OU=Computers,OU=Rome,OU=IT,DC= theitbros,DC=loc”

laps local administrator password solution

Installing LAPS Agent on Domain Computers with GPO

You must install the LAPS extension on domain computers. The easiest way to install this package is through a GPO.

  1. Open the gpmc.msc snap-in;
  2. Create a new GPO and assign it to the OU with computers;
  3. Copy the LAPS.x64.msi installation file to the NETLOGON directory on the domain computer;
  4. Go to the following GPO section Computer Configuration > Policies > Software Settings > Software Installation;
  5. Create a package installation rule and specify the path to the MSI file in the NETLOGON share;
    laps server
  6. After rebooting, the LAPS extension will be installed on all computers in this OU.

You can check that LAPS is installed on Windows 10 device through the Add/Remove programs.

laps windows 10

Configuring Group Policy for LAPS

You can configure the LAPS settings in the same policy. Its parameters are located in a separate section of the GPO: Computer Configuration > Policies > Administrative Templates > LAPS. Configure the policies as follows:

  • Enable local admin password management: Enabled;
  • Do not allow password expiration time longer than required by policy: Enabled;
  • Name of administrator account to manage: Use this policy if you use an administrator account other than the built-in Administrator;
  • Password Settings: Enabled, configure the complexity, length and frequency of changing the password here.

laps windows server

At the next GPO update LAPS will generate a new password for the local administrator, apply it on the computer, and save it to AD attributes.

To view the local administrator password on a computer, use the LAPS UI tool. Just provide a computer name and click Search. The tool will connect to AD and get the current computer password.

microsoft local admin password solution

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.