Tag: LAPS

  • How to Setup Local Administrator Password Solution

    How to Setup Local Administrator Password Solution

    This blog will explain how to setup local administrator password solution. This guide is for creating, configuring, and deploying LAPS, Microsoft’s Local Administrator Password Solution.

    Microsoft LAPS can be utilized to manage local administrator passwords on your domain-joined devices. LAPS (Local Administrator Password Solution) creates a unique and random password for each device client in your network and stores it in the Active Directory.

    Microsoft Local Administrator Password Solution resolves this issue by establishing a unique, complex password for the local administrator account in all domain-joined devices. This password, set by Microsoft LAPS, will automatically change the password policy. The new passwords will be saved in the Active Directory, and authorized administrators can retrieve them from the Active Directory server when necessary.

    Install Microsoft LAPS Software on Management Computers

    The LAPS software should be installed on both management computers and client computers. The management features will be used to set up, configure, and manage LAPS.
    You can install the LAPS management software on the domain controller or another domain-joined computer, such as Windows 10/11.

    Download the local administrator password solution download LAPS from Microsoft.

    Select a language and click on download.

    Download local administrator password solution

    Choose the download you want and click on download.

    Download laps.x64.msi

    Double-click the file LAPS.x64.msi to begin the installation.

    LAPSx64 installer file

    Click on the setup wizard screen.

    Local administrator password solution setup

    Accept the license agreement and click next.

    LAPS end user license agreement

    Click on Management Tools, select “Entire feature will be installed on local hard drive,” and select the next option.

    LAPS custom setup

    Click Install.

    Install Microsoft LAPS

    When the installation is complete, click Finish.

    Completed the LAPS setup wizard

    Open LAPS UI.

    LAPS UI

    Create Security Groups for Local Administrator Password Solution

    I have already created an OU named Organization and inside two more OU (Workstations,
    Organization).
    To create security groups, right-click on security groups (OU).
    Select new and then group.

    Active directory users and computers

    Type a security group name (LAPSAdmins) and click ok.

    Create security group

    To assign security group permission, right-click on the security group and choose properties.

    Active directory users and computers

    Select the Members tab and click on the Add button.

    Security group properties members tab

    Type domain admins and click ok.

    Enter the object name to

    Verify security group permissions and click ok.

    Security group properties mermbers

    The LAPS software installation for the management computer is complete. The next step is to return to the management system to complete the LAPS setup.
    In the above sample, “Workstations” is the OU I created for the PC components.

    Assign Permissions to the Group for Password Access

    In my demo environment, I possess a security group called “LAPSAdmins”. I require users in this group to verify the local administrators’ passwords. Before we assign permissions, let’s see who had the privilege to view the passwords by default.

    Extend the Active Directory Schema

    You must log in with an account member of the Scheme admins group in Active Directory.
    Run the two commands below:

    Import-module AdmPwd.PS
    Update-AdmPwdADSchema
    Update-AdmPwdADSchema command

    Set Permissions in the Active Directory

    With the PowerShell window still open (e.g., Import the AdmPwd.ps again), we will set the required permissions for LAPS. We will need to provide the SELF built-in account on the computer with write access so it can update the password in the Active Directory. We must also permit the administrators to read the stored LAPS password. Type the following command.

    Set-AdmPwdComputerSelfPermission -OrgUnit Workstations
    Set-AdmPwdComputerSelfPermission -OrgUnit
    Set-AdmPwdReadPasswordPermission -Identity Workstations -AllowedPrincipals "LAPSAdmins"
    Setup local administrator password solution

    Setting up the LAPS GPO

    Go to:

    \\Srv2022\sysvol\xpertstec.local\scripts

    Srv2022 is an active directory server name.
    Create a new folder.

    create new folder

    Type a name LAPS

    active directory script folder

    in the LAPS folder, and paste the LAPSx64 exe file.

    Active directory script folder LAPS

    copy the path.

    Active directory script folder LAPS folder

    Configure Group Policy Settings for LAPS

    The final configuration process is to create a group policy for the LAPS settings.
    Open the group policy management console.

    Search group policy management

    Create a new GPO on the OU that has your computers.
    Right-click on group policy objects and choose new.

    Group policy management

    Give the GPO a name (LAPS) and select ok.

    Create a new policy

    Edit the GPO

    Edit group policy

    Go to:

    Computer configuration\policies\software installation

    Right-click, choose new, and then package.

    Group policy management editor

    Go to:

    \\active directory server\sysvol\xpertstec.local\scripts\LAPS

    Select the LAPSx64.exe file and select open.

    Active directory server scripts location

    Click ok

    Select deployment method assigned

    Now, you can see the local administrator password solutions that have been assigned.

    Group policy software installation

    Configure Windows Local Administrator Password Solution

    Browse to the following policy settings:

    Computer Configuration\Policies\Administrative Templates\LAPS

    Open enable local admin password management.

    Group policy management editor

    Click on Enable and then OK.

    enable local admin password management

    Click on the Policy Password Settings.
    Select Enable. Then select the password complexity settings and click OK.

    Setup local administrator passwords solution

    Enable “do not allow password expiration time longer than required by policy”.

    Se tup local administrator password solution

    If you have a custom local administrator account that you want to manage, you can enable the administrator account name to be managed.
    Note:
    Even if you changed the built-in admin account, you do not need to configure this policy. This policy is only applicable for custom local admin accounts.

    Right-click on workstations and choose link an existing GPO.

    Link an existing GOP

    Select LAPS and click ok.

    Assing group policy

    That completes the configuration process of Microsoft Laps.

    How to View the Local Administrator Password with LAPS

    Open the LAPS UI program on your management computer.
    Enter a computer name and click the search.
    No password is found.

    LAPS UI

    Login to your client’s computer and update the group policy.
    Open the command prompt and type the following command.

    Gpupdate /force

    You need to restart your client’s computer.

    Gpupdate /force command

    After restarting, update the group policy again.

    Gpupdate /force updating policy

    Go back to your active directory computer and click on search again.

    Local administrator passwords solutions

    Now, you can select expiration time.

    Select expiration time LAPS

    Above, you can see the local administrator password for Windows11 and when the password expires.
    Using PowerShell.

    Get-AdmPwdPassword Windows11

    Or right-click on the Windows11 client computer and select properties.

    Active directory users and computers

    You can also view the password in Active Directory by opening the computer and selecting the Attribute Editor.

    LAPS Attribute editor