Campus Active Directory - Configuring Windows Local Administrator Password Solution (LAPS)

This article outlines the process to set up Windows Local Administrator Password Solution (LAPS) within the Campus Active Directory Environment for a department’s specific organizational unit (OU).

Windows LAPS was released on April 11th, 2023 as a direct successor to Microsoft LAPS. New features include: 

Supported Operating Systems 

  • Windows Server 2019 and above with the April 11, 2023 Updates. 

  • Windows 10 versions 22h2 and 21h2 with the April 11, 2023 Updates. 

  • Windows 11 versions 22h2 and 21h2 with April 11, 2023 Updates. 

Instructions: 

Step 1: Extend Schema

For Campus Active Directory (ad.wisc.edu) the schema has already been extended. However, if you are not a part of Campus Active Directory but wish to set up Windows LAPS, run the following command as a Schema Admin in an elevated PowerShell Prompt to extend the schema: 

Update-LapsADSchema 

To check if your schema has been extended properly, open Active Directory Users and Computers and check the properties of a Computer Object. The LAPS tab should be available now.  

Step 2: Set Computer Self Permissions 

Computer objects do not automatically have permission to set their own Local Administrator Password. This permission needs to be set using an OU account that is a part of the OU Owners group of your department’s OU. Run the following command with an –ou account in an elevated PowerShell Prompt to give computer objects the ability password reset self-permissions: 

Set-LapsADComputerSelfPermission -Identity “OU=Computers,OU=Deptartment,DC=AD,DC=wisc,DC=edu” 

Step 3: Configure Group Policy 

To configure your LAPS settings, open Group Policy Management Editor as your OU account. Create a group policy under your specific OU and edit the policy. Navigate to:  

Computer Configuration >> Windows Settings >> Administrative Templates >> System >> LAPS. 

 There you will see the group policy settings for Windows LAPS. Here are some suggested settings. 

  • Configure Password Backup Directory: Enable this setting and set it to Active Directory 

  • Enable Password Encryption: Enabled 

  • Do not allow password expiration time longer than required by policy: Enabled 

  • Name of administrator account to manage: Enable this and put the administrator username of your choosing. Be sure that this local user is on every computer in the OU. By default this is set to just Administrator. 

  • Configure authorized password decryptors: This policy sets the group or users who will be allowed to view passwords in ADUC. Enable this and provide the user or group of your choosing. 

  • Password Settings: Enable this and set the desired password length, password age and the complexity. We suggest using large letters, small letters, numbers and special characters. 

  • Configure Size of encrypted password history: Purely optional and up to the specific Departmental IT to decide. 

  • Enable Password Backup for DSRM Accounts: Purely optional and up to the specific Departmental IT to decide. 

  • Post-Authentication Actions: This policy defines what happens after an authorized login after a specific grace period. Our recommendation would be to set this to a timeframe predetermined by your departmental IT Team and have it reset the password after the allotted time.  

NOTE: If you have defined a different local Administrator other than the "Administrator" account, make sure that this account has been created locally on every machine LAPS GPO's are going to be applied to. LAPS will not be able to apply a randomly generated password to an account that does not exist. 

Step 4: LAPS AD Read and Write Password Permission

In step three we set the Authorized Decryptors in the LAPS Group Policy. That group or user will need read and write permissions to the attributes for Windows LAPS to read or write passwords to the local Administrator account. To accomplish this, use the following command under your OU account to grant read permission to your specific OU:  
 

NOTE: Please use the distinguished name of the OU you are applying LAPS Group Policies and Computer Self Password reset Permissions to. Please use the name of the group or the user you intend to give this permission to under the AllowedPrincipal flag. Also note that these permissions dare not inherited and these commands will need to be run on individual OU’s that contain computer objects. 

Set-LapsADReadPasswordPermission -identity “OU=Computers,OU=DepartmentOU,DC=ad,DC=wisc,DC=edu” -AllowedPrincipals Yourgroup@ad.wisc.edu 

 

Use the following command to grant write permission to the local Administrator Password: 

Set-LapsADResetPasswordPermission -identity “OU=Computers,OU=DepartmentOU,DC=ad,DC=wisc,DC=edu” -AllowedPrincipals groupname@ad.wisc.edu 

Step 5: Pulling policies down to local machine 

The local computers themselves need to have these policies pulled down on them in order to set the local Administrator password. This can be accomplished by running gpudate /force in an elevated command prompt or run the LAPS cmdlet Invoke-LapsPolicyProcessing in an elevated Powershell Prompt. You may need to reboot the computer after the policies have been applied.  

Step 6: Testing

Open Active Directory Users and Computers as a user from the designated group in your group policy. Find a computer object from your OU and open its properties. This user should be able to view the password and the account associated with that password. If you granted the password reset permission to your group, then this user should be able to set the expiration date from this tab as well. If all looks well, then Windows LAPS has been successfully set up. 


Keywords:
Windows LAPS, LAPS, Local Administrator Password Solution 
Doc ID:
135170
Owned by:
Richie M. in Identity and Access Management
Created:
2024-01-31
Updated:
2024-07-16
Sites:
Identity and Access Management