Local Administrator Password Solution (LAPS) is Microsoft’s answer to a common management problem inside Windows Server domains, the never-expiring (and often forgotten) local administrator password.
There are innumerable methods out there for handling this problem, from third-party solutions that may come at a cost, to recording them in databases or worse, spreadsheets. Of course, there is also the set and forget option.
LAPS comes free from Microsoft. You can download it here. It utilises a Group Policy CSE and Active Directory and when implemented it can automatically detect and update an expired local administrators password. If you’re concerned about not knowing what the password is, have no fear. LAPS stores the password inside of Active Directory under the computer it belongs to.
If you want to give this a go, head on over to Microsoft and download the LAPS.x64.msi and LAPS.x86.msi.
First things first, run the LAPS.x64.msi (x86 if you still have a 32 bit server OS) on your domain controller. Click through until you get to the Custom Setup screen.
Select everything for installation and click through to finish.
Next we need to get the GPO extension installed on the workstations. How you do this is up to you. For the purposes of this post I simply ran MSIExec /i <path to msi> /quiet on the workstation, but you can also deploy it via Group Policy Software Installation.
Once installed you should be able to see it under Programs and Features.
Configuring Active Directory
LAPS installs a PowerShell module AdmPwd.PS that allows us to update the schema and perform other operations as required.
First we need to extend the Active Directory schema
Import-Module AdmPwd.PS Update-AdmPwdADSchema
If successful, you should see a result similar to this.
Next we need to give the computers permissions to update their AD accounts with the new password. Simply replace to suit your environment.
Set-AdmPwdComputerSelfPermission -OrgUnit <OU>
If you haven’t changed the permissions on the OU previously, NT Authority\System and DOMAIN\Domain Admins should be the only accounts currently with extended rights. You can verify this with the following command.
(Find-AdmPwdExtendedRights -identity <OU>).extendedrightholders
Only those users/groups defined under ExtendedRightHolders will be able to view the passwords.
Depending on the size of your org, this may be sufficient. However, if you have separated duties where you have specific Password Admins group, you might want to provide them with permissions to view the current password. You can do that with the following command.
Set-AdmPwdReadPasswordPermission -identity <OU> -AllowedPrincipals <GROUP>
You should get a result like this.
Creating the Password Policy
The final step in the process is to define the Local Administrator password policy. This is completed in group policy under Computer Configuration -> Administrative Templates -> LAPS. There are 4 policies that can be defined.
- Password Settings – This is where you’ll set the complexity, length and number of days before expiring.
- Enable local administrator password management – This needs to be enabled for LAPS to work
- Do not allow password expiration time longer than required… – Enabling this will ensure that the password is reset as soon as it expires
- Name of administrator account to manage – LAPS can only manage a single local administrator account per computer. If you leave it disabled, it will automatically manage the built-in Administrator account. If you use a customer administrator account that may change over time, you will need to create new GPO’s to match.
Viewing the passwords
In the event that you need to access the managed account, you have a few options to retrieve the current password.
- PowerShell – Using the Get-AdmPwdPassword cmdlet
Get-AdmPwdPassword -ComputerName <Computername>
- ADUC or the new Active Directory Administrative Center under Attribute Editor in the Computer Properties. Listed as ms-Mcs-AdmPwd
- LAPS UI – Installed as part of LAPS
That’s all there is. As a no-cost solution, this is a great way of managing local admin passwords, and much more reliable than updating spreadsheets and databases.