Cyberattack is one of the fastest growing crimes in the world, we have seen passwords being leaked regularly, local administrator account is like God of machine, it has superpower to do anything for the machine. A lot of IT guys simply use the same password for all local administrator accounts, the attacker easy access to the whole estate if one machine is breached.
Microsoft LAPS is one of solutions to prevent the issues, The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. Today, I am going to show you how to deploy it.
Supported Operating System
Windows Server 2019, Windows Server 2008, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows Server 2003, Windows Server 2008 R2, Windows Server 2012, Windows 7, Windows 8, Windows Vista, Windows 8.1, Windows Server 2022
Active Directory: (requires AD schema extension)
• Windows 2003 SP1 or later.
• Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.
Note: Itanium-based machines are not supported.
• .NET Framework 4.0
• PowerShell 2.0 or later
1.login to LAPS Management Server, download Microsoft LAPS Package from https://www.microsoft.com/en-us/download/details.aspx?id=46899
2.On the Choose the download you Want page, select LAPS.x64.msi, click Next.
3.Login to the target computers which will update the local administrator password.
4.Run LAPS.x64.msi file. (You need to run this as administrator).
5.On the Welcome page, click Next.
6.On the End-User License Agreement page, select I accept terms in the License Agreement, click Next.
7.On the Custom Setup page, deselect AdmPwd GPO Extension and select Management Tools. If you also managing the local administrator account of the management server, you also need to install AdmPwd GPO Extension. In my case, I am installing it in a Domain controller so I do not need it.
9.On the Ready to install Local Administrator Password Solution page, click Install.
10.On the Completed page, click Finish.
Once this is done, we need to Active Directory schema to support Microsoft LAPS
11.Open PowerShell as Active Directory Schema Administrator.
12.Run below cmdlet.
13.Run below cmdlet to update the schema.
14.Verify two new attributes in the computer object after schema update.
ms-Mcs-AdmPwd – Save the administrator password in clear text. ms-Mcs-AdmPwdExpirationTime – Save the timestamp of password expiration.
These values will be updated once we finish the rest of the configuration.
During the password update process, the computer object itself should have permission to write values to ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes. To do that we need to grant permissions to SELF built-in account.
15.Open PowerShell as Domain Administrator.
16.Run below cmdlet to change computer object permissions.
Set-AdmPwdComputerSelfPermission -OrgUnit Servers
Servers is the OU I created for all the machine objects.
17.Creating a new security group and assign users as member of this group, the users of this security group have permissions to view the passwords for local administrators.
18.Before we assign permissions, run below cmdlet to see who had privileges to view the passwords by default.
Find-AdmPwdExtendedRights -Identity Servers
We noticed extended permissions are only applied to the Domain Admins group. It means a local administrator password for a computer object in Servers OU, can only access by a domain admin account.
19.Run below cmdlet to add extended permissions to LAPSAdmins security group.
Set-AdmPwdReadPasswordPermission -Identity Servers -AllowedPrincipals LAPSAdmins
20.Run below cmdlet to verify extended permissions to LAPSAdmins security group.
Find-AdmPwdExtendedRights -Identity Servers | fl
21.Creating a GPO to install LAPS agent software in managed computers.
22.Log in to Domain Controller.
23.Open Group Policy Management.
24.On the Group Policy Management console, right-click Group Policy Objects, select New.
25.Type LAPS Software Install as the new gpo name, click OK.
26.On the Contents page, right-click LAPS Software Install gpo, select Edit.
27.Go to Computer Configuration, then Policies, and then Software settings, right-click Software installation, select New and click Package.
28.On the Open page, type \\Cgy-dc02\laps\LAPS.x64.msi as File name, click Open.
29.On the Deploy Software page, select Assigned, click OK.
30.Go to Computer configuration, then Administrative Templates, and then LAPS.
31.Double click on Password Settings.
32.On the Password Settings page, select Enabled, you can define password complexity settings and password age at Options, click on OK.
33.Double click on the Do not allow password expiration time longer than required by policy.
34.On the Do not allow password expiration time longer than required by policy, select Enabled, click OK.
35.Double click on the Enable local admin password management.
36.On the Enable local admin password management page, select Enabled, click OK.
37Double click on the Name of administrator account to manage.
38.on the Name of administrator account to manage page, select Enable, enter admin as Administrator account name, click OK.
39.Close the Group Policy Management Editor.
40.On the Group Policy Management Console, right-click Servers OU, select Link an Existing GPO.
41.On the Select GPO page, select LAPS Software Install, click OK.
42.Close Group Policy Management console, this will push agents to the Computers under Servers OU. The installation is required a reboot on the computers to complete the installation.
43.Login to member server of Servers OU, reboot the machine or run gpupdate.
44.Verify LAPS agent installed.
45.Login tp domain controller (LAPS manager server) as a member of LAPSAdmins group.
46.Open LAPS UI.
45.Type the computer name (member of Server OU), click Search.
46.You will notice LAPS changed the password of the local administrator account.
47.You also can run below PowerShell cmdlet to retrieve the local administrator password.
Get-AdmPwdPassword -ComputerName CGY-RDSCB01 |fl
Hope you enjoy this post.
Web Site: carysun.com
Blog Site: checkyourlogs.net
Blog Site: gooddealmart.com
Author: Cary Sun
Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA