Local Administrator Password Solution (LAPS) is a free tool from Microsoft that allows you to manage local administrator passwords on domain-joined computers. The LAPS agent is installed on domain computers and automatically (according to a specified schedule) changes the password of the local administrator to a randomly generated one. Computer passwords are stored in protected attributes of Computer objects in Active Directory.
In this article, we will show how to install and configure LAPS in Active Directory domain running on a functional level Windows Server 2016.
Installing LAPS Management Components
First, you need to install the LAPS components on the Active Directory administrator computer. Download LAPS version for your Windows version. In our example, we will install LAPS.x64.msi.
Run the LAPS.x64.msi file. MSI installer will prompt you to install the following components:
- AdmPwd GPO Extension — this is a LAPS agent that need to be installed on all computers;
- Fat Client UI — GUI tool for viewing the local administrator password;
- PowerShell Module — allows you to manage LAPS using PowerShell;
- GPO Editor templates — admx/adml GPO templates for configuring LAPS.
Extending the Active Directory Schema for the LAPS
LAPS uses two new AD attributes to store its data. The ms-Mcs-AdmPwd attribute stores the password, and the ms-Mcs-AdmPwdExpirationTime attribute contains the password expiration time. For these attributes to appear on computers in Active Directory, the schema must be updated.
Open a PowerShell console under admin account, which is a member of the Schema Admin group. Import the PowerShell LAPS module:
Extend your Active Directory schema:
In this example, we will apply LAPS policies to a single OU with computers in AD. Check which AD groups are allowed to access LAPS attributes:
Find-AdmPwdExtendedrights -identity “OU=Computers,OU=Rome,OU=IT,DC=theitbros,DC=loc” | Format-Table
This command will return a list of accounts and groups that are allowed to view the passwords of computers in AD.
In our example, only NT AUTHORITY\SYSTEM and THEITBROS\Domain Admins have access to ExtendedRightHolders.
If you need to delegate the permissions to view computer passwords to other users, use the command:
Set-AdmPwdReadPasswordPermission -OrgUnit “OU=Computers,OU=Rome,OU=IT,DC=theitbros,DC=loc” -AllowedPrincipals it_adm_viewer
Then you need to allow computers to change the values of their own attributes in AD:
Set-AdmPwdComputerSelfPermission -OrgUnit “OU=Computers,OU=Rome,OU=IT,DC= theitbros,DC=loc”
Installing LAPS Agent on Domain Computers with GPO
You must install the LAPS extension on domain computers. The easiest way to install this package is through a GPO.
- Open the gpmc.msc snap-in;
- Create a new GPO and assign it to the OU with computers;
- Copy the LAPS.x64.msi installation file to the NETLOGON directory on the domain computer;
- Go to the following GPO section Computer Configuration > Policies > Software Settings > Software Installation;
- Create a package installation rule and specify the path to the MSI file in the NETLOGON share;
- After rebooting, the LAPS extension will be installed on all computers in this OU.
You can check that LAPS is installed on Windows 10 device through the Add/Remove programs.
Configuring Group Policy for LAPS
You can configure the LAPS settings in the same policy. Its parameters are located in a separate section of the GPO: Computer Configuration > Policies > Administrative Templates > LAPS. Configure the policies as follows:
- Enable local admin password management: Enabled;
- Do not allow password expiration time longer than required by policy: Enabled;
- Name of administrator account to manage: Use this policy if you use an administrator account other than the built-in Administrator;
- Password Settings: Enabled, configure the complexity, length and frequency of changing the password here.
At the next GPO update LAPS will generate a new password for the local administrator, apply it on the computer, and save it to AD attributes.
To view the local administrator password on a computer, use the LAPS UI tool. Just provide a computer name and click Search. The tool will connect to AD and get the current computer password.