Continuing with LAPS, if you don’t know what LAPS is you should read this

https://technet.microsoft.com/en-us/mt227395.aspx?f=255&MSPPError=-2147217396

And take a look at my earlier post

https://timmyit.com/2017/03/19/quick-overview-of-local-administrator-password-solution-laps/

Steps to Install

So, I created a powershell script that will help install LAPS on your DC and configure most of the things automatically tho there’s still a few steps that needs to be done manually which i will go through below. with that said i highly recommend you go through the documentation from Microsoft so you have a good understanding on what LAPS is and how to Install it manually and all the prerequisites before you use this script because this script doesn’t cover every installation scenario that’s possible and you need to be able to understand when this script is suitable and when its not and make the desired changes needed to make it work for your specific scenario.

1. Download the LAPS installation files from Microsoft https://www.microsoft.com/en-us/download/details.aspx?id=46899

2. Copy the files to your Domain Controller you wish to install it on

3. Put the Install-DC.ps1 in the same folder as the installation files

4. Create a security group that will contain members who will be able to read/reset the LAPS Password (For example a group called PwdAdmins)

5. Navigate to the OU in AD where all the computer objects are located that you will manage

6. Remove Extended rights on all the groups that shouldn’t be able to retrieve or change the LAPS Password (For me information see Section 2.2.1 Removing Extended Rights in LAPS_OperationsGuide.docx document from Microsoft)

6. Open Powershell as an Administrator and navigate to the source folder

7. Run the following command Install-DC.ps1 -ADCompOU <Your OU> -ADUserGroup <Your user security group> (Example. Install-DC.ps1 -ADCompOU Win10PCs -ADUserGroup PwdAdmins)

The Script

param ( [Parameter(Mandatory = $true, HelpMessage = 'AD OU that contains the computers you want to manage LAPS with')] [string]$ADCompOU, [Parameter(Mandatory = $true, HelpMessage = 'AD Security group that contains users who should get access to read LAPS PW')] [string]$ADUserGroup ) $Props = ("ADDLOCAL=Management.UI", "ADDLOCAL=Management.PS", "ADDLOCAL=Management.ADMX") foreach ($Prop in $Props) { if ([System.Environment]::Is64BitProcess) { msiexec /q /i LAPS.x64.msi $Prop ALLUSERS=2 } Else { msiexec /q /i LAPS.x86.msi $Prop ALLUSERS=2 } } Import-module AdmPwd.PS Update-AdmPwdADSchema Set-AdmPwdComputerSelfPermission -Identity $ADCompOU Set-AdmPwdReadPasswordPermission -Identity $ADCompOU -AllowedPrincipals $ADusergroup Set-AdmPwdResetPasswordPermission -Identity $ADCompOU -AllowedPrincipals $ADusergroup

Until next time, cheers !

You can find me over at

[twitter-follow screen_name=’Timmyitdotcom’]