Local Administrator Password Solution (LAPS) is a Microsoft product that manages the local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL.
How to implement LAPS
Step 1: Add Active Directory Domain Services (ADDS) Role
Step 2: Add one client computer to the domain
Step 3: Download the LAPS installation link from the link https://www.microsoft.com/en-us/download/details.aspx?id=46899
Step 4: Install the LAPS.x64.msi file
Step 5: Select the following services to install
Steps 6: Creation of shared folder to store the client .msi files. This folder should be accessible from client machines.
Step 7: Creation of group policy
Step 8: Right click on LAPS_INSTAL -> and software installation under computer config-> polices -> software settings-> software installation
Step 9: Right Click -> New -> Package
Step 10: Choose the shared folder that you created. The file LSPD.x64.msi should be available in the shared folder.
Step 11: Right Click on the local administrator package and click on properties
Step 12: Select the Deployment tab and select the option “Uninstall this application when it falls out of scope of management.”
Step 13: Select the Security tab and add Domain Computers Group to access the package for client machine.
Step 14: Open command prompt in administrator mode and run gpupdate/force command. Once the gpupdate is executed, we would see the LAPS software on the client machine.
Step 15: The next step is to update the AD schema on the server. The following script needs to be executed.
Set-AdmPwdComputerselfpermission –OrgUnit LAPS
This command provides permission to the client machine which is in LAPS OU
Set-AdmPwdReadPasswordPermission –OrgUnit LAPS –AllowedPrincipals LAPuser1
This command is to provide read permission for LAP user which is in LAPS OU
Set-AdmPwdWritePasswordPermission –OrgUnit LAPS –AllowedPrincipals LAPuser1
This command is to provide write permission to reset the password for the local admin account of domain joined computers
Find-AdmPwdExtendedRights –identity “LAPS”
This command allows you to find users having extended rights
Step 16: Group Policy – Create a new GPO as shown in the below figure.
Step 17: Edit the Group Policy
Step 18: Open the Group Policy Management Editor -> Policies -> Administrative Templates -> LAPS
Step 19: Enable local admin password management -> Click the enabled option and Save
Step 20: Enable the password setting and set the password length and password age.
Step 21: Update the GPO policy by running the below command on PowerShell
Gpupdate / force
Step 22: Change the local admin password by running the PowerShell
Get-AdmPwspassword –computername Client1
The below figure shows the specific computer’s local admin password.
We can also use LAPS UI which is available in this path C:\Program Files\LAPS
Step 23: Double click the application and the below screen will allow you to see the password
Step 24: Click on Search button and the application will show local admin password. The below screen also shows the password expiry date and the time.
At Velan, our server support engineers can help you setup Local Administrator Password Solution (LAPS) for your environment. We troubleshoot problems like these for our clients every day. If you are interested in our service, please fill the Quick connect form to get in touch with us