Topics Map > Active Directory
Campus Active Directory - Configuring Legacy Local Administrator Password Solution (LAPS)
WARNING
The legacy Microsoft LAPS Product is deprecated as of Windows 11 23 H2 and later.
For older OS's before Windows 11 23 H2, Use Windows LAPS. To setup Windows LAPS, please view: https://kb.wisc.edu/135170
Microsoft will continue to support the legacy Microsoft LAPS product on older versions of Windows until support ends for those versions. Please see the official Microsoft Warning from the Windows LAPS Overview Page. https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
NOTE: Deploying LAPS is not a requirement if you are managing local administrator account passwords for domain-joined computers and other devices through a different method.
What is it
Utilizing an identical local administrator account password for every domain computer will increase vulnerability and may be easily exploited by an attack. Microsoft’s Local Administrator Password Solution LAPS) provides a way to securely manage these passwords. Through group policy, LAPS is enabled to allow random password generation for domain-joined computers. AD administrators can set how often passwords are refreshed and which users (i.e. helpdesk staff) are authorized to view them.
Install and Setup LAPS
1. Download the LAPS.x64.msi file from Microsoft and install it on your domain controller.
Download LAPS software - Official Microsoft Download Center
2. Run the LAPS.x64 file. Follow the setup wizard and select both AdmPwd GPO Extension and Management Tools > Entire feature will be installed on local hard drive under Custom Setup.
Note: The management tools are meant to only be installed on administrative or authorized user machines, NOT on computer(s) that will be managed.
Add LAPS files to Central Group Policy Store
Copy both AdmPwd.admx and AdmPwd.adml files from the PolicyDefinitions folder to the Central Group Policy Store. If a central store does not exist, it should be created first. This Microsoft article explains how.
AdmPwd.admx file-
Copy from C:\Windows\PolicyDefinitions\AdmPwd.admx to \\yourdomain\SYSVOL\yourdomain\Policies\PolicyDefinitions\
AdmPwd.adml file-
Copy from C:\Windows\PolicyDefinitions\en-us\AdmPwd.adml to \\yourdomain\SYSVOL\yourdomain\Policies\PolicyDefinitions\en-us
Configure Active Directory for LAPS
1. From a designated computer server or workstation, run the PowerShell commands to configure LAPS and extend the AD schema:
Note: These commands must be ran from an account that possesses schema admin level access
Import-module AdmPwd.PS
Update-AdmPwdADSchema
2. Grant permissions to computers in delegated OU the ability to update their local administrator passwords.
Set-AdmPwdComputerSelfPermission -OrgUnit "distinguished name of organizational unit"
3. Next, check which groups currently have permissions to read the local administrator passwords. For each delegated OU that the Set-AdmPwdComputerSelfPermission command was applied run the Find-AdmPwdExtendedRights cmdlet:
NT AUTHORITY\SYSTEM, YOURDOMAIN\Domain Admins should return by default.
4. Assign rights to user(s) or group(s) that will need access to read the local administrator passwords (i.e. help desk admins, server operators, etc.). It is recommended that permissions be appropriated through security groups:
Set-AdmPwdReadPasswordPermission -Identity "name of org unit" -AllowedPrincipals "security group name/user assigned rights"
5. Check permissions again to make sure that delegated group/user is added. You may need to format the layout to display a full view:
Find-AdmPwdExtendedRights -Identity "name of org unit" | Format-Table -AutoSize
Note: Be sure to remove the Schema Admins group from your account after carrying out these steps.
Administer LAPS via Deployment Software or GPO
LAPS can generally be administered using endpoint management software solutions such as SSCM or BigFix. VMWare’s WorkspaceOne at this time cannot administer LAPS. If deployment software is not an option, enforcing LAPS via GPO is another deployment solution. Below are the steps outlined to deploy via GPO:
- From the domain controller, open Group Policy Management and create a new GPO. Give it an appropriate name.
- Edit the GPO, and navigate to Computer Configuration > Policies > Software Settings > Software Installation (right click) > New > Package to add the LAPS.x64 file
- Leave the Select deployment method as Assigned:
- Next, configure the LAPS settings. Navigate to Computer Configuration > Policies > Administrative Templates > LAPS. Configure settings as such:
- DO Enable: Local admin password management - LAPS will not work if this setting is not enabled
- DO Enable: Password Settings - Complexity requirements: large letters small letters numbers special characters is recommended. See Microsoft’s password policy recommendations on age, length & complexity for best practices reference.
- Optional: Do not allow password expiration time longer than required by policy - If enabled, group policy will restrict changing the password expiration time on a device longer than the age configured under Password Settings
- Optional: Name of administrator account to manage - should only be enabled if an additional administrator account is created AND the built-in admin account is disabled. It does not need to be configured if using the built-in admin account.
- Be sure that the GPO Status is set to "Enabled"
- To check which computers have LAPS successfully deployed on them, run as administrator:
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -Properties 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' | select dnshostname,ms-mcs-admpwd
Additionally, to find computers where LAPS did not install, run:
Get-ADComputer -filter {ms-mcs-admpwd -notlike "*"} | select dnshostname
LAPS - Password Retrieval
- To retrieve a computer’s local admin password via powershell, from an assigned server or workstation, run as administrator:
Get-AdmPwdPassword -ComputerName "computername"
Example:
Alternatively, the LAPS UI or fat client can be used:
Note: For LAPS UI run the admPwd.UI.exe located C:\ProgramFiles\LAPS\admPwd.UI.exe
LAPS - Password Resets
IMPORTANT: If an administrator manually resets a computer’s local administrator password, either through powershell or management tool, the new password will not be reflected in the computer object in Active Directory. You’ll need to wait for group policy to refresh for the next password reset to occur & which complies with the password policy.
A local administrator password on a computer may need to be manually reset if it has been re-imaged and then re-joined to the domain. For example, if the password policy is set to randomize every 30 days, that machine has it’s local admin password set to whatever the imaging process assigned it and Active Directory will still reflect an old, random password in the computer object. This Microsoft article explains how to accomplish LAPS and computer re-installs.
LAPS and VDI
To understand LAPS functionality in virtual desktop infrastructure environments: