How to deploy Microsoft Local Administrator Password Solution (LAPS)

      Comments Off on How to deploy Microsoft Local Administrator Password Solution (LAPS)

Cyberattack is one of the fastest growing crimes in the world, we have seen passwords being leaked regularly, local administrator account is like God of machine, it has superpower to do anything for the machine. A lot of IT guys simply use the same password for all local administrator accounts, the attacker easy access to the whole estate if one machine is breached.

Microsoft LAPS is one of solutions to prevent the issues, The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. Today, I am going to show you how to deploy it.

System prerequisites

Supported Operating System

Windows Server 2019, Windows Server 2008, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows Server 2003, Windows Server 2008 R2, Windows Server 2012, Windows 7, Windows 8, Windows Vista, Windows 8.1, Windows Server 2022

Active Directory: (requires AD schema extension)

• Windows 2003 SP1 or later.

Managed machines:

• Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.

Note: Itanium-based machines are not supported.

Management tools:

• .NET Framework 4.0

• PowerShell 2.0 or later

1.login to LAPS Management Server, download Microsoft LAPS Package from https://www.microsoft.com/en-us/download/details.aspx?id=46899

2.On the Choose the download you Want page, select LAPS.x64.msi, click Next.

040122 1615 Howtodeploy2 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

3.Login to the target computers which will update the local administrator password.

4.Run LAPS.x64.msi file. (You need to run this as administrator).

040122 1615 Howtodeploy3 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

5.On the Welcome page, click Next.

040122 1615 Howtodeploy4 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

6.On the End-User License Agreement page, select I accept terms in the License Agreement, click Next.

040122 1615 Howtodeploy5 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

7.On the Custom Setup page, deselect AdmPwd GPO Extension and select Management Tools. If you also managing the local administrator account of the management server, you also need to install AdmPwd GPO Extension. In my case, I am installing it in a Domain controller so I do not need it.

040122 1615 Howtodeploy6 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

8.Click Next.

040122 1615 Howtodeploy7 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

9.On the Ready to install Local Administrator Password Solution page, click Install.

040122 1615 Howtodeploy8 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

10.On the Completed page, click Finish.

040122 1615 Howtodeploy9 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

Once this is done, we need to Active Directory schema to support Microsoft LAPS

11.Open PowerShell as Active Directory Schema Administrator.

12.Run below cmdlet.


Import-module AdmPwd.PS

040122 1615 Howtodeploy10 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

13.Run below cmdlet to update the schema.


Update-AdmPwdADSchema

040122 1615 Howtodeploy11 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

14.Verify two new attributes in the computer object after schema update.


ms-Mcs-AdmPwd – Save the administrator password in clear text.

ms-Mcs-AdmPwdExpirationTime – Save the timestamp of password expiration.

These values will be updated once we finish the rest of the configuration.

040122 1615 Howtodeploy12 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

During the password update process, the computer object itself should have permission to write values to ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes. To do that we need to grant permissions to SELF built-in account.

15.Open PowerShell as Domain Administrator.

16.Run below cmdlet to change computer object permissions.


Set-AdmPwdComputerSelfPermission -OrgUnit Servers

040122 1615 Howtodeploy13 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

Servers is the OU I created for all the machine objects.

17.Creating a new security group and assign users as member of this group, the users of this security group have permissions to view the passwords for local administrators.

040122 1615 Howtodeploy14 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

18.Before we assign permissions, run below cmdlet to see who had privileges to view the passwords by default.


Import-module AdmPwd.PS

Find-AdmPwdExtendedRights -Identity Servers

040122 1615 Howtodeploy15 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

We noticed extended permissions are only applied to the Domain Admins group. It means a local administrator password for a computer object in Servers OU, can only access by a domain admin account.

19.Run below cmdlet to add extended permissions to LAPSAdmins security group.


Set-AdmPwdReadPasswordPermission -Identity Servers -AllowedPrincipals LAPSAdmins

040122 1615 Howtodeploy16 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

20.Run below cmdlet to verify extended permissions to LAPSAdmins security group.


Find-AdmPwdExtendedRights -Identity Servers | fl

040122 1615 Howtodeploy17 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

21.Creating a GPO to install LAPS agent software in managed computers.

22.Log in to Domain Controller.

23.Open Group Policy Management.

040122 1615 Howtodeploy18 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

24.On the Group Policy Management console, right-click Group Policy Objects, select New.

040122 1615 Howtodeploy19 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

25.Type LAPS Software Install as the new gpo name, click OK.

040122 1615 Howtodeploy20 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

26.On the Contents page, right-click LAPS Software Install gpo, select Edit.

040122 1615 Howtodeploy21 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

27.Go to Computer Configuration, then Policies, and then Software settings, right-click Software installation, select New and click Package.

040122 1615 Howtodeploy22 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

28.On the Open page, type \\Cgy-dc02\laps\LAPS.x64.msi as File name, click Open.

040122 1615 Howtodeploy23 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

29.On the Deploy Software page, select Assigned, click OK.

040122 1615 Howtodeploy24 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

30.Go to Computer configuration, then Administrative Templates, and then LAPS.

040122 1615 Howtodeploy25 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

31.Double click on Password Settings.

040122 1615 Howtodeploy26 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

32.On the Password Settings page, select Enabled, you can define password complexity settings and password age at Options, click on OK.

040122 1615 Howtodeploy27 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

33.Double click on the Do not allow password expiration time longer than required by policy.

040122 1615 Howtodeploy28 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

34.On the Do not allow password expiration time longer than required by policy, select Enabled, click OK.

040122 1615 Howtodeploy29 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

35.Double click on the Enable local admin password management.

040122 1615 Howtodeploy30 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

36.On the Enable local admin password management page, select Enabled, click OK.

040122 1615 Howtodeploy31 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

37Double click on the Name of administrator account to manage.

040122 1615 Howtodeploy32 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

38.on the Name of administrator account to manage page, select Enable, enter admin as Administrator account name, click OK.

040122 1615 Howtodeploy33 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

39.Close the Group Policy Management Editor.

040122 1615 Howtodeploy34 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

40.On the Group Policy Management Console, right-click Servers OU, select Link an Existing GPO.

040122 1615 Howtodeploy35 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

41.On the Select GPO page, select LAPS Software Install, click OK.

040122 1615 Howtodeploy36 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

42.Close Group Policy Management console, this will push agents to the Computers under Servers OU. The installation is required a reboot on the computers to complete the installation.

040122 1615 Howtodeploy37 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

43.Login to member server of Servers OU, reboot the machine or run gpupdate.

040122 1615 Howtodeploy38 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

44.Verify LAPS agent installed.

040122 1615 Howtodeploy39 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

45.Login tp domain controller (LAPS manager server) as a member of LAPSAdmins group.

46.Open LAPS UI.

040122 1615 Howtodeploy40 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

45.Type the computer name (member of Server OU), click Search.

040122 1615 Howtodeploy41 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

46.You will notice LAPS changed the password of the local administrator account.

040122 1615 Howtodeploy42 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

47.You also can run below PowerShell cmdlet to retrieve the local administrator password.


Get-AdmPwdPassword -ComputerName CGY-RDSCB01 |fl

040122 1615 Howtodeploy43 - How to deploy Microsoft Local Administrator Password Solution (LAPS)

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun

Web Site: carysun.com

Blog Site: checkyourlogs.net

Blog Site: gooddealmart.com

ca16fbd3199de5f66b829b87082fb970?s=80&d=retro&r=g - How to deploy Microsoft Local Administrator Password Solution (LAPS)

Author: Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA
Blog:
http://www.carysun.com http://www.checkyourlogs.net
Twitter:@SifuSun

About Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA Blog: http://www.carysun.com http://www.checkyourlogs.net Twitter:@SifuSun