Local Administrator Password Management (LAPS)

A few weeks ago, Microsoft published a new tool – named “LAPS” – which is available for free. You will have the possibility to manage your local admin passwords for all your clients without special scripting. Since it’s not possible anymore to change the password through Group Policy Preferences, this is a nice way to do it.

You can schedule through GPO, when the password for the local administrator will be changed (how long it is valid…) and how complex it has to be. Every client has a different password, which is written back to the Active Directory. What’s needed and how you can configure it is written here.

Prerequisites

Download the LAPS application here.

Schema Upgrade

  • Install the LAPS Application on the DC (Powershell Module and GPO Editor Templates are needed).
  • Start Powershell as admin, import the module “AdmPwd.PS” and upgrade the schema with a schema admin account:
    Import-module AdmPwd.PS
    Update-AdmPwdADSchema

–> Two new AD attributes will be created: ms-Mcs-AdmPwd and ms-Mcs and AdmPwdExpirationTime

Set permission to write password to Active Directory

The clients (SELF) will need the permission to write the password and the expiration date to the Active Directory (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime). The following powershell command will do this:

Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

Set permission to read the password from Active Directory

Additionally you have to set, who can read the ms-Mcs-AdmPwd Attribut in Active Directory.

Create an Active Directory Group and give the permission with the following powershell command:

Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

Software on Clients (GPO Extension)

You have to install the LAPS tool on every client, so he has the needed GPO extensions available. The default installation through the MSI installs and registers only a dll.

  • Deploy the LAPS on the clients or deploy and register the AdmPwd.dll
    msiexec /i laps.x64.msi /qn

Group Policy (GPO)

The installation of the full LAPS tool on a management client will copy the AdmPwd.admx to c:\Windows\PolicyDefinitions and the AdmPwd.adml file to c:\Windows\PolicyDefinitions\en-US. Copy this admx file to your Domain Controller respectively to your central store for admx files (c:\windows\sysvol\sysvol\%domain%\policies\policydefinitions) and the ADML file to the subfolder en-US.

  • Configure the GPO for the clients “Computer Configuration\Policies\Administrative Templates\LAPS”. The following settings are available:

Setting

State

Options

Remarks

Password Settings

Enable

Password Complexitiy

 
   

Password Length

 
   

Password Age (Days)

 

Name of administrator account to manage

Not configured

Administrator Account name

Only needed if not used the built-in admin account *

Do not allow password expiration time longer than required by policy

Enabled / Disable

   

Enable local admin password management

Enabled

 

Main setting to enable or disable the password management

* if you renamed the local administrator account it is still working because it looks for the SID.

  • Apply the GPO to your client Organization Unit (OU).

UI to read the password from AD

For the admins with the permission to read the passwords in AD, you can deploy a User Interface or inform them, how they can see it in the User and Computers Console (Computer Object – Attribute Editor – ms-Mcs-AdmPwd).

clip_image002

For installing the LAPS User Interface, choose the “Fat client UI”.

clip_image004

In the tool you have also the possibility, to set a new password. Click “Set” and it will be changed immediately.

image

Good Luck!

Chris

Advertisements

6 comments

    • Chris Greuter

      yes I know some customers using it, where I configured it 🙂 – and it’s working really great. The tool is not new, it’s only new for free / open (before it was only available for microsoft consulting services)… so I think it’s used in several companies.

  1. Ajit Pariyar

    I changed local admin account manually on the computer successfully, but it doesn’t sync with the domain controller LAPS password. Any idea why it is not syncing? Shouldn’t it also show the changed password on LAPS UI. The password I changed logs me in successfully, not the one on the domain controller.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s