Purpose:
You wish to configure the Local Administrator Password Solution (LAPS) in your Active Directory environment.
Resolution:
Setting up LAPS is a relatively simple process. For additional information, Microsoft has some excellent documentation on setting up LAPS, which you can download here. There is also a webcast we did on this topic, which you can see here.
NOTE:
Kris Powell has written scripts to automate the PowerShell portion of this process, retrieve the local LAPS admin password, and reset a local LAPS admin password. They are attached at the end of this article. For more detailed usage of these scripts, please see the following webcast:
LAPS configuration is covered in the following sections:
Setting Up the Management Machine
Extending the Active Directory (AD) Schema and Setting up Rights
Group Policy Settings
MSI Deployment
Testing LAPS
Setup Notes:
- In this setup, the OU for LAPS-managed machines will be AA_Computers
- The security group that will have Read access for the LAPS passwords and Write access for the password expiration settings will be LAPSAdmins
-
The LAPS local user will be LAPSAdmin
- LAPSAdmin is a local user: the Remote UAC registry key may need to be added to all targets
Setting Up the Management Machine
1. Download the LAPS MSI files and documentation: https://www.microsoft.com/en-us/download/details.aspx?id=46899
2. Choose a management machine. This machine can be any domain-joined machine you will use (such as your workstation) to review the credentials of the LAPS account for a particular machine and modify the expiration time (if allowed by Group Policy). It is not recommended to use a DC as the management machine. You may have as many management machines as needed.
3. Install the MSI on the management machine with the following settings:
NOTE: The PowerShell module is optional, but recommended, as LAPS can be managed using PowerShell. For the remainder of this document, it is assumed you installed the PowerShell module and you are a domain administrator.
Extending the Active Directory (AD) Schema and Setting up Rights
4. Extend the schema of the Active Directory domain by running the following from PowerShell:
Load the module from AdmPwd.PS
Import-module AdmPwd.PS
Then update the schema with the following command:
Update-AdmPwdADSchema
Your results should look something like this:
IMPORTANT:
From Microsoft: "If you have an RODC installed in the environment and you need to replicate the value of the attribute ms-Mcs-AdmPwd to the RODC. You will need to change the 10th bit of the searchFlags attribute value for ms-Mcs-AdmPwd schema objet to 0 (substract 512 from the current value of the searchFlags attribute). For more information on Adding Attributes to or Removing attributes from the RODC Filtered Attribute Set, please refer to http://technet.microsoft.com/en-us/library/cc754794(v=WS.10).aspx."
You can use ADSI Edit to view the schema modifications:
5. Using the same PowerShell session (if you use a new session, remember to import the module using the Import-module AdmPwd.PS command), check the extended rights for users and groups in your Active Directory domain (users and groups with extended rights have the ability to read the LAPS password and other confidential attributes):
Find-AdmPwdExtendedrights -identity AA_Computers | Format-Table
Which looks like this for our lab domain:
NOTES:
- We are using the computer OU in this example since this is the OU that will be used for all LAPS-configured computers.
- In a default domain setup, Domain Admins are the only group with extended rights. Domain Admins should always have extended rights unless there is a specific and excellent reason otherwise.
- If a user does not have the rights to view the ms-Mcs-AdmPwd attribute, the attribute will appear in ADSI as <not set>.
- If you need to remove extended rights for a user or group, please see Microsoft's documentation on setting up LAPS.
6. Set the SELF built-in account on all machines to Write-level access to the LAPS password and expiration (again, using the OU of the computers that will be LAPS-configured):
Set-AdmPwdComputerSelfPermission -OrgUnit AA_Computers
NOTES:
- Repeat steps 5 and 6 for any additional OUs (not sub-OUs) that will contain LAPS-configured computers.
- Individual computers control both the password and the expiration date/time of the LAPS account password. Passwords are unique to each computer and the expiration time is set per computer based on the domain's Group Policy.
7. Now set user access rights, which is an extended right of the ms-Mcs-AdmPwd for all users that will be able to read the stored LAPS account password on computers in the OU in step 6.
Set-AdmPwdReadPasswordPermission -OrgUnit AA_Computers -AllowedPrincipals LAPSAdmins
NOTES:
- Reminder: in this document, AA_Computers is the computer objects OU and LAPSAdmins is the security group.
- You can add multiple users/groups to -AllowedPrincipals as a comma (no space) delimited list. For example: -AllowedPrincipals aalabs\jane,aalabs\SmartUsers,aalabs\ninjas
8. Set additional user access rights for ms-Mcs-AdmPwdExpirationTime for all users that will be able to write the stored LAPS account password on computers in the OU in step 6. This right allows users to force password resets for the LAPS account on managed computers, if allowed by Group Policy.
Set-AdmPwdResetPasswordPermission -OrgUnit AA_Computers -AllowedPrincipals LAPSAdmins
This concludes the user and AD extension setup portion.
9. On a machine that has AD GPMC access (gpmc.msc), run the LAPS MSI to install the GPO Editor templates. This will install the ADMX and ADML files for LAPS. No other features are required or recommended.
IMPORTANT:
- If you are using the Central Store to house your group policy objects (ADMX and ADML files), you will need to copy the admx and adml files from where the MSI installs those files in %systemroot%\PolicyDefinitions to your SYSVOL > Domain > Policies > PolicyDefinitions directory (adml files are placed in your language directory).
- In our testing, when using Restricted Groups in Group Policy for local administrator accounts, the LAPS administrator was not necessarily added when the MSI was deployed to local machines. You may need to either add the LAPS account in the Restricted Groups Group Policy or use Group Policy Preferences, e.g. Computer configuration > Preferences > Control Panel Settings > Local Users and Groups.
10. Once the GPO Editor templates have been installed, open GPMC, create a new Group Policy Object, edit that object, and navigate to Computer Configuration > Administrative Templates > LAPS.
11. Define the password settings for managed computers:
12. Configure the name of the LAPS-managed administrator account. Ensure this name is unique to the domain. In this example, it's LAPSAdmin:
IMPORTANT:
If this policy is not configured, LAPS will default to using the local built-in Administrator account. We recommend creating your own LAPS administrator account for a variety of reasons, one of which is that the default Administrator account is often disabled by default. Another reason is that a dedicated LAPS administrator account is easier to identify on the machine as existing (or not) and therefore open to accurate reporting within PDQ Inventory. Bad side-effects are also expected if using a LAPS account with the same name as an existing Domain Account since LAPS is a schema extension of the domain.
13. Enable LAPS. This turns on local admin password management.
14. Optional: Do not allow password expiration time longer than required by policy. This refers to step 11. If this is enabled, group policy will not allow LAPSAdmins to change the password expiration on a machine longer than allowed by the policy in step 11.
15. Apply the changes and link this to the AA_Computers OU.
16. Next, deploy the MSI to all managed computers using PDQ Deploy. Start by opening up PDQ Deploy and creating a New Package from either the ribbon or Ctrl+N.
17. Name the package something meaningful and add two Install Steps and one Command Step.
18. In the first install step, point to the x64 MSI installer file. Since we are not using the default Administrator account and instead using LAPSAdmin, we use CUSTOMADMINNAME=LAPSAdmin as the MSI Parameter. Change this to match your custom LAPS admin name.
Also set the Conditions to only deploy to x64 machines:
19. Repeat step 18 on the second install step for the x86 MSI, changing the MSI install file and Conditions to match the x86 architecture.
20. Finally, run gpupdate in the Command Step:
21. Save, Deploy, and enjoy!
22. Check a managed machine to ensure the LAPSAdmin account is a local administrator:
SUCCESS!
23. Now, login to the management machine (from step 2) using an account that is allowed to read the LAPS password and open the LAPS UI. Put in a computer name from the AA_Computers OU and click Search.
You have now successfully configured LAPS in your environment.
See Also:
Microsoft's LAPS Download: Local Administrator Password Solution (LAPS)
Article: LAPS Integration With PDQ Inventory And PDQ Deploy
Video: Configuring LAPS and PDQ
