Topics Map > Active Directory

Campus Active Directory - Configuring Legacy Local Administrator Password Solution (LAPS)

This document provides a detailed outline of how to configure and deploy the Local Administrator Password Solution (LAPS).

WARNING

The legacy Microsoft LAPS Product is deprecated as of Windows 11 23 H2 and later. 

For older OS's before Windows 11 23 H2, Use Windows LAPS. To setup Windows LAPS, please view: https://kb.wisc.edu/135170

Microsoft will continue to support the legacy Microsoft LAPS product on older versions of Windows until support ends for those versions. Please see the official Microsoft Warning from the Windows LAPS Overview Page. https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview

NOTE: Deploying LAPS is not a requirement if you are managing local administrator account passwords for domain-joined computers and other devices through a different method.  

What is it

Utilizing an identical local administrator account password for every domain computer will increase vulnerability and may be easily exploited by an attack. Microsoft’s Local Administrator Password Solution LAPS) provides a way to securely manage these passwords.  Through group policy, LAPS is enabled to allow random password generation for domain-joined computers. AD administrators can set how often passwords are refreshed and which users (i.e. helpdesk staff) are authorized to view them.

Install and Setup LAPS

1. Download the LAPS.x64.msi file from Microsoft and install it on your domain controller.

   Download LAPS software - Official Microsoft Download Center 

2. Run the LAPS.x64 file. Follow the setup wizard and select both AdmPwd GPO Extension and Management Tools > Entire feature will be installed      on local hard drive under Custom Setup. 

Note: The management tools are meant to only be installed on administrative or authorized user machines, NOT on computer(s) that will be managed.

Add LAPS files to Central Group Policy Store

Copy both AdmPwd.admx and AdmPwd.adml files from the PolicyDefinitions folder to the Central Group Policy Store.  If a central store does not exist, it should be created first. This Microsoft article explains how.

AdmPwd.admx file-

Copy from C:\Windows\PolicyDefinitions\AdmPwd.admx  to \\yourdomain\SYSVOL\yourdomain\Policies\PolicyDefinitions\

AdmPwd.adml file- 

Copy from C:\Windows\PolicyDefinitions\en-us\AdmPwd.adml  to \\yourdomain\SYSVOL\yourdomain\Policies\PolicyDefinitions\en-us

Configure Active Directory for LAPS

1. From a designated computer server or workstation, run the PowerShell commands to configure LAPS and extend the AD schema:

    Note: These commands must be ran from an account that possesses schema admin level access

  • Import-module AdmPwd.PS
  • Update-AdmPwdADSchema

2. Grant permissions to computers in delegated OU the ability to update their local administrator  passwords.

Set-AdmPwdComputerSelfPermission -OrgUnit "distinguished name of organizational unit"

3. Next, check which groups currently have permissions to read the local administrator passwords. For each delegated OU that the Set-AdmPwdComputerSelfPermission command was applied run the Find-AdmPwdExtendedRights cmdlet: 

    NT AUTHORITY\SYSTEM, YOURDOMAIN\Domain Admins should return by default. 

4. Assign rights to user(s) or group(s) that will need access to read the local administrator passwords (i.e. help desk admins, server operators, etc.). It is recommended that permissions be appropriated through security groups:

Set-AdmPwdReadPasswordPermission -Identity "name of org unit" -AllowedPrincipals "security group name/user assigned rights"

5. Check permissions again to make sure that delegated group/user is added. You may need to format the layout to display a full view:

Find-AdmPwdExtendedRights -Identity "name of org unit" | Format-Table -AutoSize

Note: Be sure to remove the Schema Admins group from your account after carrying out these steps.

Administer LAPS  via Deployment Software or GPO

LAPS can generally be administered using endpoint management software solutions such as SSCM or BigFix. VMWare’s WorkspaceOne at this time cannot administer LAPS. If deployment software is not an option, enforcing LAPS via GPO is another deployment solution.  Below are the steps outlined to deploy via GPO:

  

  1. From the domain controller, open Group Policy Management and create a new GPO.  Give it an appropriate name.

 

  1. Edit the GPO, and navigate to Computer Configuration > Policies > Software Settings > Software Installation (right click) > New > Package to add the LAPS.x64 file

 

  1. Leave the Select deployment method as Assigned:

Screenshot of Deploy Software window

screenshot of LAPS software installation in policy settings

 

  1. Next, configure the LAPS settings. Navigate to Computer Configuration > Policies > Administrative Templates > LAPS. Configure settings as such:
  • DO Enable: Local admin password management - LAPS will not work if this setting is not enabled

 

  • DO Enable:  Password Settings - Complexity requirements: large letters small letters numbers special characters is recommended. See Microsoft’s password policy recommendations on age, length & complexity for best practices reference.

 

  • Optional: Do not allow password expiration time longer than required by policy - If enabled, group policy will restrict changing the password expiration time on a device longer than the age configured under Password Settings

 

  • Optional: Name of administrator account to manage - should only be enabled if an additional administrator account is created AND the built-in admin account is disabled. It does not need to be configured if using the built-in admin account.

 

  1. Be sure that the GPO Status is set to "Enabled"

 

  1. To check which computers have LAPS successfully deployed on them, run as administrator:

 

Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -Properties 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' | select dnshostname,ms-mcs-admpwd

     

Additionally, to find computers where LAPS did not install, run:

 

Get-ADComputer -filter {ms-mcs-admpwd -notlike "*"} | select dnshostname

 

LAPS - Password Retrieval

  1. To retrieve a computer’s local admin password via powershell, from an assigned server or workstation, run as administrator:

 

Get-AdmPwdPassword -ComputerName "computername"

 

Example:

 screenshot of powershell running command

           

Alternatively, the LAPS UI or fat client can be used:

Screenshot of LAPS UI

Note: For LAPS UI run the admPwd.UI.exe located C:\ProgramFiles\LAPS\admPwd.UI.exe

 

LAPS - Password Resets

IMPORTANT: If an administrator manually resets a computer’s local administrator password, either through powershell or management tool, the new password will not be reflected in the computer object in Active Directory. You’ll need to wait for group policy to refresh  for the next password reset to occur & which complies with the password policy.

 

A local administrator password on a computer may need to be manually reset if it has been re-imaged and then re-joined to the domain. For example, if the password policy is set to randomize every 30 days, that machine has it’s local admin password set to whatever the imaging process assigned it and Active Directory will still reflect an old, random password in the computer object. This Microsoft article explains how to accomplish LAPS and computer re-installs.

 

LAPS and VDI

To understand LAPS functionality in virtual desktop infrastructure environments:

LAPS in Virtual Environments



Keywordsdeprecated   Doc ID118487
OwnerMST SupportGroupIdentity and Access Management
Created2022-05-10 16:48:58Updated2024-06-24 15:38:08
SitesIdentity and Access Management
Feedback  5   6