Introduction

Local Administrator Password Solution (LAPS) is a technology from Microsoft that allows you secure the passwords for local administrators and store them in Active Directory, in a similar way to BitLocker recovery keys.

This technology allows you to randomize a password for each computer you enable it on and to enforce complexity policies to make sure they stay secure. With all the new security features coming around lately you should definitely configure LAPS for Windows 10 to use it like a great supplement.

Local administrator accounts has always been an issue to manage in large environments and especially when there are multiple sites to consider. A reason for this is that there are usually not any documentation available that explains how the local administrator account should be used in the environment.

An example of this would be when a user in a remote office needs to install or change something on their computer and there is no administrator there to help them. This often ends with IT giving out the local administrator password so they can solve their issue.

With LAPS you can give out passwords when required without having to worry about it spreading to those that should not have it. The passwords will by default be randomized every thirty days and can be changed on demand by your service desk.

Use this guide to step up your security using LAPS and get those passwords under control!

Background

Below, I summarize all the steps we need to take to configure and deploy LAPS to our clients.

Download the LAPS installer Microsoft. I will only download LAPS.x64.msi since this is all I need. You can also download documentation if you wish to read more about it

Install LAPS on your management machine. I’m my lab I installed it on a DC but I recommend that you use a management server in your environment

Update the AD schema with the two attributes required for LAPS

Remove permissions from users or groups that should’nt be able to view the password

Allow computers to store their password and expiration time in Active Directory

Delegate permissions to read and reset computer passwords in the configured OU

Copy the AdmPwd.admx and AdmPwd.adml to your PolicyDefinitons folder and the corresponding language folder

Create a new GPO and configure the settings

Deploy the GPO to the OUs you want to use LAPS in

Install the LAPS client on computers that will be managed

Instructions

Step 1 – Download LAPS from Microsoft

Go to the download page for LAPS and select the files you want to download. In my case the x64 installer is enough but you can get the documentation aswell for future use.

LAPS Download Options

Step 2 – Install LAPS on your management machine

After downloading the installer you should decide on a management machine where your servicedesk users can run the LAPS UI. This tool is used to view the password for a computer but also to change it on demand.

Run the installer on the server using the following steps.

I installed it on the default path but changed the selected features to only include the Management Tools.

Click Next

Accept the license agreement and click Next

Select the features above and click Next

Click Install

Step 3 – Update the AD Schema with new attributes

There are two attributes that are required in your Active Directory for LAPS to work. They will contain the password and the password expiration date for the computer. They are called ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.

If your AD is already updated with these attributes then you can find them on a computer object using the Attribute Editor and it will look like this.

If you need to update the schema then follow these steps.

Open Powershell as an administrator.

Depending on your machine you might need to import the module for LAPS.

Update the schema using the cmdlet Update-AdmPwdADSchema and view the output. Here you will see the Distinguished Name for the object and the status. If the attributes already existed it will say so in the Status column.

Step 4 – Remove rights in the AD

This step is required to remove the extended rights that allow users to view the passwords in AD. After doing this we will grant the specific permissions required to view and change password to those specific users that should be able to do so.

The permission we are looking to remove is called “All Extended Rights“. This permission allows users to read the attribute ms-Mcs-AdmPwd and not all users should have those rights.

You can find the permissions by going to Active Directory, right-clicking on the OU where your computers are located and selecting Properties.

Go to Security > Advanced, select the Users or Group you want to modify and click Edit.

Uncheck “All Extended Rights“.

Go ahead and do this for all Users and Groups that needs to be modified. In some cases the permissions are inherited and needs to be modified at a higher level of your directory.

Step 5 – Allow computers to write their password to Active Directory

The computers that run LAPS will write their password and expiration time to the respective object in AD. To allow this we must use the SELF principal in AD to allow them to write to their own computer object and using that pricnipal will allow only that and no any other object.

Open Powershell as an administrator.

Depending on your machine you might need to import the module for LAPS.

Run the following command to delegate permissions.

Set-AdmPwdComputerSelfPermission -Identity <distinguishedName>

In this scenario my computers are located in PROD.localPRODComputers and I need to use the distinguishedName of that OU, OU=Computers,OU=PROD,DC=prod,DC=local.



Step 6 – Delegate permissions to read and reset passwords in a selected OU

The next step is to delegate permissions to your helpdesk users that should read and reset the password.

This will make sure that only the allowed users are permitted to perform these tasks.

Using the same powershell windows as before you can use the following command to delegate read permissions.

<distinguishedNameOU> is the OU where your computers are located in Active Directory and <LAPS Password Read Users> is a group that I’ve created in which I have my helpdesk users that are allowed to read the computer password.

<LAPS Password Reset Users > is another group I’ve created in which I have my users that are allowed to reset the computer password.

Set-AdmPwdReadPasswordPermission -Identity <distinguishedNameOU> -AllowedPrincipals <LAPS Password Read Users>

Use the following command to delegate reset permissions.

Set-AdmPwdResetPasswordPermission -Identity <distinguishedNameOU> -AllowedPrincipals <LAPS Password Reset Users>

You can use this cmdlet to verify who has access to the attributes in the specified OU.

Find-AdmPwdExtendedRights -Identity <distinguishedNameOU>

This will show you a list of all users and groups that can access the attributes used for LAPS. Domain Admins usually have access by default and it is up to you if that should be kept or not.

Step 7 – Copy the AdmPwd.admx and AdmPwd.adml to your PolicyDefinitions location

The required .admx and .adml comes with the LAPS.x64.msi installer that you downloaded in Step 1. If you chose the same features as I did you should find them on the management server in the folder %WINDIR%PolicyDefinitions and %WINDIR%PolicyDefinitionsen-us. Copy these to your domain controller or central store for GPO templates. You can read more about the Central store here.

In my case I a central store is being used, which is located in domain.localsysvolprod.localPoliciesPolicyDefinitions.

Copy AdmPwd.admx to this location and the AdmPwd.adml to the subfolder matching your language, in my case

domain.localsysvolprod.localPoliciesPolicyDefinitionsen-us.

After this you are ready to start configure your GPOs.

Step 8 – Create GPO and configure LAPS settings

Now it’s time to configure the settings that will determine how the passwords are managed and what requirements you want to have on them. I would recommend the default settings for most of the options but your environment might have different needs than mine.



The settings can be found under Computer Configuration > Policies > Administrative Templates > LAPS in the Group Policy Management Editor.

Open the Enable local admin password management setting and check the Enabled box.

Click OK.

Open the Name of administrator account to manage and check the Enabled box if you are using a custom account other than the built-in Administrator.

Leave this as Not Configured if you want to use the Built-In account.

Click OK.

Open the Do not allow password expiration time longer than required by policy and check the Enabled box.

This will make sure that passwords won’t have an expiration time longer than what you specify in the next setting. If you leave this as Not Configured or Disabled helpdesk users can reset a password and set a expiration date that is older than what is allowed.

Click OK.

Open the Password Settings and check the Enabled box.

I recommend using the default settings unless your company has specific settings that you require.

Click OK.

Step 9 – Link the GPO to the selected OU

Link the newly created GPO to the OU you specified earlier in Step 5 and make sure the security filtering is correct. I linked it to my Computers OU and used Authenticated Users for the filtering, since all my clients are in this OU. If you are using multiple OUs you link it to all of them.

Step 10 – Deploy LAPS to your computers

Now you need to install the LAPS client on the devices that you want to manage. There are multiple ways you can do this since it is a MSI and the following methods are available. I would recommend using SCCM or a similar platform depending on what is available to you.

Group Policy

SCCM

Logon Script

Manually

To install LAPS on the clients you can use the same installer that we used earlier but using command line instead. The install string would be:

msiexec /i "LAPS.x64.msi" /q

The uninstall string would be:

Msiexec /x {EA8CB806-C109-4700-96B4-F1F268E5036C} /passive

If you want to install it manually on a single client to test, then AdmPwd GPO Extension is the feature you want. This is what is installed on managed clients using commandline and the /q switch.

Using LAPS

When all of these components are ready you can go to your management server and start the LAPS UI application that we installed earlier. This is the tool your helpdesk users will user to read and reset passwords. You might have to run LAPS UI as an administrator to be able to view the password correctly.

Enter a computername and click Search to see the managed password.

If you want to reset the password you only have to click Set, and it will be changed the next time a GPO refresh runs on the client.

Conclusion

LAPS is an easy and great way to get and keep control of your local administrators and helps you simplify the management of the passwords. You no longer need to document the credentials for each computer and risk the wrong people get hold of that information.

With just a couple of days work in a larger environment you can get a great increase in security and management. I’m sure that your helpdesk staff would love a simpler way of doing this, regardless if you user LAPS or a similar solution.

I hope this article helps you out. If not, or any suggestions come to mind, just post in the comments below.