Microsoft Local Administrator Password Solution (LAPS) is a powerful tool designed to enhance the security of local administrator accounts on domain-joined computers. By randomizing and regularly changing the local administrator password, LAPS helps mitigate the risks associated with having the same password across multiple machines. In this step-by-step guide, we will walk you through the process of installing and setting up Microsoft LAPS on your network.
I. Introduction
In today’s digital landscape, ensuring the security of our systems is of paramount importance. One often overlooked area is the local administrator accounts on our domain-joined computers. If the same local administrator password is used across multiple machines, it poses a significant security risk. Microsoft LAPS provides a robust solution to this problem by randomizing and regularly changing the local administrator password on each computer.
II. Installing Microsoft LAPS on Management Computers
Before we can effectively deploy LAPS across our network, we need to install the LAPS software on our management computers. These management features will enable us to configure and manage LAPS effectively. Here’s how you can do it:
- Download the LAPS software from the official Microsoft website [^1^]. Choose the appropriate version (64-bit or 32-bit) for your system.
- Double-click the downloaded file, LAPS.x64.msi, to begin the installation process.
- Follow the setup wizard by clicking “Next” and accepting the license agreement.
- Make sure to install all the features. Select “Management Tools” and choose “Entire feature will be installed on the local hard drive.”
- Click “Install” to initiate the installation process.
- Once the installation is complete, click “Finish” to exit the setup wizard.
By following these steps, you have successfully installed the LAPS software on your management computer. In the next step, we will proceed with installing LAPS on the client computers.
III. Installing Microsoft LAPS on Client Computers
To ensure that LAPS functions correctly on client computers, we need to install the LAPS client-side extension (CSE) on each machine. This can be done using various deployment methods such as Group Policy, scripts, SCCM, or other software deployment programs. Here, we will outline the manual installation process:
- Locate the LAPS.x64.msi file, which you downloaded earlier for management computers.
- Run the LAPS.x64.msi file and proceed with the default installation settings. The only feature that should be selected is the “AdmPwd GPO Extension.”
- Alternatively, you can use deployment scripts or software deployment programs like SCCM or PDQ to automate the installation process. Refer to the appropriate documentation for your chosen method.
By following these steps, you have successfully installed the LAPS client-side extension on your client computers.
IV. Extending Active Directory Schema
To enable the new attributes used by LAPS, the Active Directory schema needs to be extended. This step is crucial for the proper functioning of LAPS. Here’s how you can extend the schema:
- Ensure that you are logged in with an account that is a member of the Schema Admins group in Active Directory.
- Open PowerShell and run the following commands:
Import-module AdmPwd.PS
Update-AdmPwdADSchema
- If the commands execute successfully, you should see a status indicating a successful update.
- Verify the presence of the new attributes on a computer object by opening the attribute editor in Active Directory.
By extending the Active Directory schema, you have prepared the environment for LAPS to utilize the new attributes effectively.
V. Setting Computer Object Permissions
To allow computers to update the local administrator password and expiration timestamp, it is necessary to modify the write permissions for the new attributes. This can be achieved using PowerShell. Follow these steps:
- Identify the Organizational Unit (OU) that contains your computer objects.
- Use the following PowerShell command to set the permissions for the SELF built-in account:
codeSet-AdmPwdComputerSelfPermission -OrgUnit "Your_OU_Name"
Ensure to replace “Your_OU_Name” with the name of your specific OU.
By modifying the computer object permissions, you have enabled the necessary write access for LAPS to update the local administrator password.
VI. Setting User Rights for Password Read Permissions
By default, only members of the Domain Admins group have permission to read the stored passwords of computer accounts. However, you may want to grant additional users or groups the ability to view the local administrator’s password. Here’s how you can do it:
- Open PowerShell and run the following command to grant permission to a specific group:
codeSet-AdmPwdReadPasswordPermission -Identity "Your_OU_Name" -AllowedPrincipals "Group_Name"
Replace “Your_OU_Name” with the appropriate OU name and “Group_Name” with the desired group or user.
- Verify the extended rights permissions by running the following command:
codeFind-AdmPwdExtendedRights -Identity "Your_OU_Name"
Ensure that only approved IT administrators have the permission to read the password.
By setting the appropriate user rights, you have effectively managed access to the local administrator’s password within the LAPS framework.
VII. Configuring Group Policy Settings
To further streamline the management of LAPS settings across your network, you can create a group policy specifically dedicated to LAPS. Follow these steps:
- Open the Group Policy Management Console.
- Create a new Group Policy Object (GPO) within the OU that contains your computers.
- Give the GPO a descriptive name, such as “Computer – LAPS.”
- Edit the GPO and navigate to the following policy settings:
codeComputer Configuration -> Policies -> Administrative Templates -> LAPS
- Enable the “Enable local admin password management” policy and click “OK.”
- Enable the “Password Settings” policy and configure the desired password complexity. Click “OK” to save the changes.
- If you have custom local administrator accounts that you want LAPS to manage, enable the “Manage password for administrator accounts” policy and specify the accounts. Click “OK” to save the changes.
By configuring these group policy settings, you have ensured that LAPS manages the local administrator password according to your defined policies.
VIII. Viewing the Local Administrator Password
As an IT administrator, it is crucial to have the ability to retrieve the local administrator password when needed. LAPS provides multiple methods for accomplishing this. Here are the available options:
- Using the LAPS UI program:
- Open the LAPS UI program on your management computer.
- Enter the computer name and click “Search.”
- The local administrator password will be displayed.
- Using PowerShell commands:
- Open PowerShell and run the following command:
codeGet-AdmPwdPassword -ComputerName "Computer_Name"
Replace “Computer_Name” with the actual name of the computer.
- Viewing the password in Active Directory or using the AD Pro Toolkit:
- Open Active Directory Users and Computers.
- Enable the “Advanced Features” option under the “View” menu.
- Navigate to the computer object and open its properties.
- In the “Attribute Editor” tab, locate the “ms-Mcs-AdmPwd” attribute and view its value.
By utilizing these methods, you can securely retrieve the local administrator password when necessary.
IX. Conclusion
In this step-by-step guide, we have explored the installation and setup process for Microsoft LAPS. By following these instructions, you have implemented a robust solution to enhance the security of local administrator accounts on your domain-joined computers. Remember to regularly review and update your LAPS policies to maintain a secure environment.
FAQs (Frequently Asked Questions)
1. Can LAPS be used to manage passwords for non-administrator accounts? No, LAPS is specifically designed to manage the local administrator password for domain-joined computers.
2. Is it possible to deploy LAPS in a multi-domain environment? Yes, LAPS can be deployed and managed in multi-domain environments. However, each domain requires its own installation and configuration.
3. Can LAPS be integrated with third-party password management tools? LAPS is a standalone solution and does not integrate with third-party password management tools. It is designed to manage the local administrator password exclusively.
4. Does LAPS require an internet connection to function? No, LAPS operates within the local network and does not require an internet connection for its core functionality.
5. Can LAPS be used in conjunction with Group Managed Service Accounts (gMSA)? No, LAPS does not support Group Managed Service Accounts. It is focused on managing the local administrator password for computer accounts.
Ensure you have followed the instructions carefully, and you are now equipped to install and set up Microsoft LAPS effectively. Take the necessary steps to enhance the security of your local administrator accounts and protect your network from potential threats.