Campus Active Directory - Configuring Windows Local Administrator Password Solution (LAPS)

This article outlines the process to set up Windows Local Administrator Password Solution (LAPS) within the Campus Active Directory Environment for a department’s specific organizational unit (OU).

Windows LAPS was released on April 11th, 2023 as a direct successor to Microsoft LAPS. New features include:

Password Backup to Active Directory
Encrypted passwords in Active Directory
Password history
Added LAPS Tab in Active Directory Users and Computers
For more information on the benefits of Windows LAPS: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview

Supported Operating Systems

Windows Server 2019 and above with the April 11, 2023 Updates.
Windows 10 versions 22h2 and 21h2 with the April 11, 2023 Updates.
Windows 11 versions 22h2 and 21h2 with April 11, 2023 Updates.

Instructions:

Step 1: Extend Schema

For Campus Active Directory (ad.wisc.edu) the schema has already been extended. However, if you are not a part of Campus Active Directory but wish to set up Windows LAPS, run the following command as a Schema Admin in an elevated PowerShell Prompt to extend the schema:

Update-LapsADSchema

To check if your schema has been extended properly, open Active Directory Users and Computers and check the properties of a Computer Object. The LAPS tab should be available now.

For more information on LAPS Schema Attributes: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-technical-reference

Step 2: Set Computer Self Permissions

Computer objects do not automatically have permission to set their own Local Administrator Password. This permission needs to be set using an OU account that is a part of the OU Owners group of your department’s OU. Run the following command with an –ou account in an elevated PowerShell Prompt to give computer objects the ability password reset self-permissions:

NOTE: Use the distinguished name as the requirement for the “-identity” flag. If you want to give Computers and Servers OU’s self-permission, this command will need to be run twice. This permission is not inherited.

Set-LapsADComputerSelfPermission -Identity “OU=Computers,OU=Deptartment,DC=AD,DC=wisc,DC=edu”

For more information on this command: https://learn.microsoft.com/en-us/powershell/module/laps/set-lapsadcomputerselfpermission?view=windowsserver2022-ps

Step 3: Configure Group Policy

To configure your LAPS settings, open Group Policy Management Editor as your OU account. Create a group policy under your specific OU and edit the policy. Navigate to:

Computer Configuration >> Windows Settings >> Administrative Templates >> System >> LAPS.

There you will see the group policy settings for Windows LAPS. Here are some suggested settings.

Configure Password Backup Directory: Enable this setting and set it to Active Directory
Enable Password Encryption: Enabled
Do not allow password expiration time longer than required by policy: Enabled
Name of administrator account to manage: Enable this and put the administrator username of your choosing. Be sure that this local user is on every computer in the OU. By default this is set to just Administrator.
Configure authorized password decryptors: This policy sets the group or users who will be allowed to view passwords in ADUC. Enable this and provide the user or group of your choosing.
Password Settings: Enable this and set the desired password length, password age and the complexity. We suggest using large letters, small letters, numbers and special characters.
Configure Size of encrypted password history: Purely optional and up to the specific Departmental IT to decide.
Enable Password Backup for DSRM Accounts: Purely optional and up to the specific Departmental IT to decide.
Post-Authentication Actions: This policy defines what happens after an authorized login after a specific grace period. Our recommendation would be to set this to a timeframe predetermined by your departmental IT Team and have it reset the password after the allotted time.

NOTE: If you have defined a different local Administrator other than the "Administrator" account, make sure that this account has been created locally on every machine LAPS GPO's are going to be applied to. LAPS will not be able to apply a randomly generated password to an account that does not exist.

For more information on the LAPS Group Policy Settings: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings

Step 4: LAPS AD Read and Write Password Permission

In step three we set the Authorized Decryptors in the LAPS Group Policy. That group or user will need read and write permissions to the attributes for Windows LAPS to read or write passwords to the local Administrator account. To accomplish this, use the following command under your OU account to grant read permission to your specific OU:

NOTE: Please use the distinguished name of the OU you are applying LAPS Group Policies and Computer Self Password reset Permissions to. Please use the name of the group or the user you intend to give this permission to under the AllowedPrincipal flag. Also note that these permissions dare not inherited and these commands will need to be run on individual OU’s that contain computer objects.

Set-LapsADReadPasswordPermission -identity “OU=Computers,OU=DepartmentOU,DC=ad,DC=wisc,DC=edu” -AllowedPrincipals Yourgroup@ad.wisc.edu

For more information on this command: https://learn.microsoft.com/en-us/powershell/module/laps/set-lapsadreadpasswordpermission?view=windowsserver2022-ps

Use the following command to grant write permission to the local Administrator Password:

Set-LapsADResetPasswordPermission -identity “OU=Computers,OU=DepartmentOU,DC=ad,DC=wisc,DC=edu” -AllowedPrincipals groupname@ad.wisc.edu

For more information on this command: https://learn.microsoft.com/en-us/powershell/module/laps/set-lapsadreadpasswordpermission?view=windowsserver2022-ps

Step 5: Pulling policies down to local machine

The local computers themselves need to have these policies pulled down on them in order to set the local Administrator password. This can be accomplished by running gpudate /force in an elevated command prompt or run the LAPS cmdlet Invoke-LapsPolicyProcessing in an elevated Powershell Prompt. You may need to reboot the computer after the policies have been applied.

For more info on Invoke-LapsPolicyProcessing: https://learn.microsoft.com/en-us/powershell/module/laps/invoke-lapspolicyprocessing?view=windowsserver2022-ps

Step 6: Testing

Open Active Directory Users and Computers as a user from the designated group in your group policy. Find a computer object from your OU and open its properties. This user should be able to view the password and the account associated with that password. If you granted the password reset permission to your group, then this user should be able to set the expiration date from this tab as well. If all looks well, then Windows LAPS has been successfully set up.

Other useful commands to try:
Set-LapsADPasswordExpirationTime
https://learn.microsoft.com/en-us/powershell/module/laps/set-lapsadpasswordexpirationtime?view=windowsserver2022-ps

Set-LapsADAuditing
https://learn.microsoft.com/en-us/powershell/module/laps/set-lapsadauditing?view=windowsserver2022-ps

Keywords	Windows LAPS, LAPS, Local Administrator Password Solution Suggest keywords	Doc ID	135170
Owner	Richie M.	Group	Identity and Access Management
Created	2024-01-31 15:50:27	Updated	2024-03-15 12:10:46
Sites	Identity and Access Management
Feedback	0 0 Comment Suggest a new document