Managing Local Administrator Passwords with LAPS

Local Administrator Password Solution (LAPS) is Microsoft’s answer to a common management problem inside Windows Server domains, the never-expiring (and often forgotten) local administrator password.

There are innumerable methods out there for handling this problem, from third-party solutions that may come at a cost, to recording them in databases or worse, spreadsheets. Of course, there is also the set and forget option.

LAPS comes free from Microsoft. You can download it here. It utilises a Group Policy CSE and Active Directory and when implemented it can automatically detect and update an expired local administrators password. If you’re concerned about not knowing what the password is, have no fear. LAPS stores the password inside of Active Directory under the computer it belongs to.

Getting started

If you want to give this a go, head on over to Microsoft and download the LAPS.x64.msi and LAPS.x86.msi.

Installing LAPS

First things first, run the LAPS.x64.msi (x86 if you still have a 32 bit server OS) on your domain controller. Click through until you get to the Custom Setup screen.

Installing LAPS 1

Select everything for installation and click through to finish.

Next we need to get the GPO extension installed on the workstations. How you do this is up to you. For the purposes of this post I simply ran MSIExec /i <path to msi> /quiet on the workstation, but you can also deploy it via Group Policy Software Installation.

Once installed you should be able to see it under Programs and Features.

Installing LAPS 2

Configuring Active Directory

LAPS installs a PowerShell module AdmPwd.PS that allows us to update the schema and perform other operations as required.

First we need to extend the Active Directory schema

Import-Module AdmPwd.PS

If successful, you should see a result similar to this.Configuring active directory 2

Next we need to give the computers permissions to update their AD accounts with the new password. Simply replace to suit your environment.

Set-AdmPwdComputerSelfPermission -OrgUnit <OU>

Configuring active directory 1

If you haven’t changed the permissions on the OU previously, NT Authority\System and DOMAIN\Domain Admins should be the only accounts currently with extended rights. You can verify this with the following command.

(Find-AdmPwdExtendedRights -identity <OU>).extendedrightholders

Veryifying rights 1

Only those users/groups defined under ExtendedRightHolders will be able to view the passwords.

Depending on the size of your org, this may be sufficient. However, if you have separated duties where you have specific Password Admins group, you might want to provide them with permissions to view the current password. You can do that with the following command.

Set-AdmPwdReadPasswordPermission -identity <OU> -AllowedPrincipals <GROUP>

You should get a result like this.

Adding rights 1

Verifying Rights 2

Creating the Password Policy

The final step in the process is to define the Local Administrator password policy. This is completed in group policy under Computer Configuration -> Administrative Templates -> LAPS. There are 4 policies that can be defined.

  • Password Settings – This is where you’ll set the complexity, length and number of days before expiring.
  • Enable local administrator password management – This needs to be enabled for LAPS to work
  • Do not allow password expiration time longer than required… – Enabling this will ensure that the password is reset as soon as it expires
  • Name of administrator account to manage – LAPS can only manage a single local administrator account per computer. If you leave it disabled, it will automatically manage the built-in Administrator account. If you use a customer administrator account that may change over time, you will need to create new GPO’s to match.

LAPS Group Policies

Viewing the passwords

In the event that you need to access the managed account, you have a few options to retrieve the current password.

  1. PowerShell – Using the Get-AdmPwdPassword cmdlet
Get-AdmPwdPassword -ComputerName <Computername>

Viewing LAPS password 1

  1. ADUC or the new Active Directory Administrative Center under Attribute Editor in the Computer Properties. Listed as ms-Mcs-AdmPwdViewing LAPS password 2
  2. LAPS UI – Installed as part of LAPS

Viewing LAPS password 3

That’s all there is. As a no-cost solution, this is a great way of managing local admin passwords, and much more reliable than updating spreadsheets and databases.

2 thoughts on “Managing Local Administrator Passwords with LAPS

  1. I believe this is one of the so much vital info for me.

    And i’m satisfied reading your article. However want to observation on some general things, The web site style is wonderful, the articles is
    actually nice : D. Good activity, cheers


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s