Username or Email Address
Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
LAPS allows you to manage local administrator account passwords on domain-joined computers so that passwords are unique on each managed computer, randomly generated, and centrally stored in Active Directory infrastructure.
At the beginning, LAPS was called “AdmPwd”. It became Local Administrator Password Solution (LAPS) and Microsoft made it part of its product portfolio. But LAPS is still free! So it means that you can get technical support when using LAPS, by opening a Microsoft ticket.
LAPS comes with a “FAT” client for SysAdmins and there are PowerShell commands available to manage this service, which is nice!
Before installing LAPS, there are some prerequisites:
This solution uses confidential attributes and does not depend on a domain functional level.
One of the cool features is that LAPS can manage a local administrator account which is not named “administrator”. The core of the LAPS solution is a GPO client-side extension (CSE), that you install on managed computers to perform all management tasks. So it means when the machine will perform a GPUpdate, the following actions will be done:
Let’s take a look at the installation.
First, you must download LAPS from the Microsoft website: https://www.microsoft.com/en-us/download/details.aspx?id=46899
There are two parts to the installation, the management computers and the clients you want to manage. Double click on the MSI installer:
At this step, you must check or uncheck “AdmPwd GPO Extension” depending on if you are installing LAPS on a managed computer or a management computer. Here, I want to install LAPS on a management computer:
One of the limitations of LAPS is the need to update the Active Directory schema. Some organizations can perform this task easily, but for the others, it can be complicated to do this change.
The Active Directory Schema needs to be extended by two new attributes that store the password of the managed local Administrator account for each computer and the timestamp of password expiration.
To update the schema, you first need to import the PowerShell module. This task needs to be performed by the user in Schema Admin role. Use the following commands:
That’s all. The schema has been updated!
By default, Domain Admins and Enterprise Admins will have access to view the stored passwords. We need to give the computers the ability to update the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes in Active Directory. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password.
You can do this using PowerShell:
You will need to run this command for each OU that will have managed computers.
The settings are located under Computer Configuration\Administrative Templates\LAPS. In case that organization uses centralized policy store, an administrator is required to copy the ADMX templates into central policy store in SYSVOL.
You can configure some settings by GPO:
In a large environment, I advise you to use SCCM to install LAPS on all your machines. You can easily perform this task by deploying the MSI with SCCM. Open the SCCM console, and navigate to:
Now, create a new MSI application:
Edit the deployment and specify the command to install LAPS and then the command to uninstall it. You can use this command line to do a silent install:
Now add the detection method based on the MSI product code:
Install LAPS whether a user is logged on or not
Refresh the SCCM client policy on the machine and check the installation process:
Now, LAPS will appear in the “Programs and Features” section:
Many ways exist to view the password for a computer. You can manage the password with the FAT Client, Windows PowerShell, from the Active Directory or with SCCM.
The “Fat” client which is also called “LAPS UI” will be installed on your management station during the installation process.
Fat client is installed into folder %ProgramFiles%\LAPS
When you run the LAPS UI Client, you must type the computer name and press “search”. LAPS UI will display the password and the expiration time.
The management tools also include a PowerShell module that you can use for viewing passwords. It is really easy, so just use the following command:
PowerShell module called “AdmPwd.PS” provides the same functionality as a fat client. PowerShell module is installed into “C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS”
First, open the Active Directory MMC and enable the “Advanced Features” mode:
Now, double-click the computer object and go to the “Attribute Editor” tab:
With this extension for SCCM, you can easily access the LAPS password for all of your domain computers from within the SCCM console; a button will be added to the ribbon and the right-click menu when a computer object is selected.
Download the LAPS SCCM Extension from Technet Gallery: https://gallery.technet.microsoft.com/LAPS-Extension-for-SCCM-e8bd35b1 and run the executable:
Accept the license
Wait a few seconds…
Once the installation is completed, open the SCCM console, select a managed computer and check the new button in the ribbon:
LAPS is really a nice tool, very simple to deploy and manage. LAPS is not perfect but it is a “nice to have” and it can really increase your Active Directory security.
Please note that computer accounts might be the subject of accidental deletion. In such case, (especially when AD Recycle Bin feature is not implemented) password of managed local Administrator account would be lost and there would not be an easy way for support staff to retrieve it.
Before deploying Local Administrator Password Solution in production, I highly recommend to deploy it in your test environment.
Below are some useful links about LAPS or other similar solutions:
Thanks for reading!
Sample rating item
Microsoft, Software by Nicolas Prigent
You must be logged in to post a comment.