Reading Time: 6 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

In this blog post, I am going to walk you through how to Install, Configure and use Microsoft LAPS. But first, let’s explain what Microsoft LAPS is.

Local Administrator Password Solutions (LAPS) is a solution provided by Microsoft to manage the local administrator account on domain joined computers and servers. Microsoft LAPS extends the Active Directory Schema to store the unique passwords of the LAPS managed clients. This Password is stored in an Active Directory attribute, ms-Mcs-AdmPwd. By default, domain administrators can read this attribute to get the password of the local administrator accounts. With the help of some PowerShell we can configure delegation to allow other groups or users to view and reset it. LAPS Changes the Local administrator password periodically based on a schedule you set in Group Policy.

So know we know what Microsoft Laps is, let’s install it.

Installing Microsoft LAPS

Run the application x64

Click Next

Accept the terms of the license agreement and click Next

Click Management Tools and then select Entire feature will be installed on local hard drive

You should now see the below screen. Click Next

Click Install

Click Finish

You have now installed Microsoft LAPS

Configuring Microsoft LAPS

To update the Schema

First, we need to update the Schema. This can be done by:

Open PowerShell with elevated permissions belonging to the Schema Admins AD Group and type:

Import-Module AdmPwd.Ps
Update-AdmPwdADSchema
view raw Microsoft_LAPS.ps1 hosted with ❤ by GitHub

To check that the Schema has updated. Open active directory and navigate to a computer object and open up Attribute Editor. You should see the bellow:

User and Group Permissions

To check what users have the permission to view the LAPS Password, open PowerShell with Elevated Permissions and type:

# Changing the -Identity to the OU name you want to check against.
Import-Module AdmPwd.Ps
Find-AdmPwdExtendedRights -Identity "Computers"
view raw Microsoft_LAPS.ps1 hosted with ❤ by GitHub

As you can see we only have the default Domain Admins group with the correct permission.

To add a group or user the permission to view the LAPS Password in an elevated PowerShell window type:

# Changing the -Identity to the OU name you want to allow the "Help Desk" group the permission to view the LAPS password
Import-Module AdmPwd.Ps
Set-AdmPwdReadPasswordPermission -Identity "Computers" -AllowedPrincipals "Help Desk"
view raw Microsoft_LAPS.ps1 hosted with ❤ by GitHub

To check the permission has worked type:

# Changing the -Identity to the OU name you want to check against.
Find-AdmPwdExtendedRights -Identity "Computers" | FT objectDN, ExtendedRightHolders -autosize
view raw Microsoft_LAPS.ps1 hosted with ❤ by GitHub

Computer Permissions

Now we have to allow the computers the ability to update the new attributes ms-MCS-ADMPwd and ms-Mcs-AdmPwdExpirationTime in Active Directory

To do this open PowerShell with elevated permissions and type:

# Changing the -Identity to the top level OU name you want to allow the permission to. This action is recursive.
Import-Module AdmPwd.Ps
Set-AdmPwdComputerSelfPermission -Identity "Computers"
view raw Microsoft_LAPS.ps1 hosted with ❤ by GitHub

Client Configuration

[themify_box style=”black warning”] Laps users GPO templates to configure the Password Policy. You need to have the LAPS GPO templates installed on a server that has GPMC.
[/themify_box]

Open GPMC

Navigate to the OU that you want LAPS to be enabled for.

Right-click the OU and click Create a GPO in this domain, and Link it here…

Naming it something that matches your naming standards. And click OK

Right click the new policy and click on Edit

Navigate to Computer Configuration > Administrative Templates > LAPS

Double click Password Settings

Edit the values to meet your requirements, but make sure you enable it.

Click OK

Now double click on Do not allow password expiration time longer than required by policy

Enable it and click OK

Now double click on Enable local admin password management

Enable it and click OK

Close Group Policy Management Console

[themify_box style=”red note”] I recommend you use the built-in account as it always has the same SID so even if it does get renamed LAPS will still be able to manage it. Due to this we do not need to enable Name of administrator account to manage
[/themify_box]

Client Install

One thing to note is that the LAPS client comes in 32 and 64-bit versions. Make sure you push out the correct version to match your operating system.

We now just need to install either the client or register the .dll on to all the machines we want to manage. This can be done in a number of ways, such as GPO, SCCM, or, PowerShell. I will not go into detail here but the method I prefer is to create an SCCM package to copy the AdmPwd.dll over to the machines you want to manage using PowerShell.

The AdmPwd.dll is found in the LAPS\CSE Folder Under Program files.

Once you have the client installed you can go on to test that everything is working as it should.

How to Use LAPS

There are 3 main ways to use Microsoft LAPS. I will go into detail on each below.

PowerShell

To view the current password

Open PowerShell and type:

# Changing -ComputerName to the computer you want to see the password for
Get-AdmPwdPassword -ComputerName PIXEl-W10-01
view raw Microsoft_LAPS.ps1 hosted with ❤ by GitHub

To reset the current password

First, we have to allow the group the permission to reset the password.

Open PowerShell and type:

# Changing the -Identity to the OU name you want to allow the "Help Desk" group the permission to reset the LAPS password
Set-AdmPwdResetPasswordPermission -Identity "Computers" -AllowedPrincipals "Help Desk"
view raw Microsoft_LAPS.ps1 hosted with ❤ by GitHub

Now to reset the password type:

# Changing -ComputerName to the computer you want to reset the password for.
Reset-AdmPwdPassword -ComputerName PIXEl-W10-01 -WhenEffective "06.09.2017 23:00"
view raw Microsoft_LAPS.ps1 hosted with ❤ by GitHub

Active Directory

This is done the same way we checked the Schema earlier in this post.
Open active directory and navigate to a computer object and open up Attribute Editor, but this time we should have information

The LAPS Client

To view the current password

Open The LAPS client

Enter the Computer name you want the password for and then click Search

To reset the current password

In the LAPS client change the New password expiration time and then click Set

There is an SCCM extension on the TechNet Gallery. https://gallery.technet.microsoft.com/LAPS-Extension-for-SCCM-e8bd35b1 I have not used it myself as of yet, but it does look like a nice easy way to be able to get and reset the LAPS Passwords.

And that’s it you have now installed Microsoft LAPS and tested that it works.

If you have any questions please leave a comment.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

Iā€™m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

18 Comments

Jamie · June 23, 2017 at 1:14 pm

Fantastic article ! Thanks very much šŸ™‚

Darren Harris · March 21, 2018 at 9:37 am

Bit late joining the party but now looking to implement this in a new company. Wanting confirmation really that following this guide would work if the local admin account has been renamed on multiple machines because it uses the SID?
Thanks

    Pixel Robots. · March 21, 2018 at 9:48 am

    Hello,

    Yes it uses the SID so you will be fine.

    Thanks

    Pixel Robots

Darren Harris · March 23, 2018 at 11:34 pm

Great, thanks for the confirmation and for the well written article.

Barry · October 9, 2018 at 3:14 pm

Please note the command is Set-AdmPwdComputerSelfPermission -Identity “Computers” not Set-AdmPwdComputersSelfPermission -Identity “Computers”. You have an extra “s” on AdmPwdComputerS

    Pixel Robots. · October 9, 2018 at 3:35 pm

    Thanks for that. I have fixed the code.

Ryan · November 26, 2018 at 10:55 am

Hi,

May I know the password “/u17w7s$@6p.Oz” is generate by system or admin input to the Attribute Editor in AD?

Ryan · November 26, 2018 at 11:26 am

Hi,

May i know the password “/u17w7s$@6p.Oz” is generate by system or system admin need to import it in Attribute Editor in AD before help desk get it in workstation?

    Pixel Robots. · November 26, 2018 at 12:31 pm

    Hello,

    The password is generated by the system.

    Thanks

    Richard

Fadi Hamdan · November 26, 2018 at 9:12 pm

Hi there,
When I edit LAPS Policy I can’t find its folder under Administrative Template. Any one face this issue?

Fadi Hamdan · November 26, 2018 at 9:15 pm

When I edit LAPS policy, I can’t find its folder under Administrative Template

    Pixel Robots. · December 3, 2018 at 2:13 pm

    Are you accessing the gpo MMC on the same server you installed LAPS on?

    Also, if you are using a central store for group policy. Copy the admx files to it too. Then you will be able to use and gpo MMC to edit the files.

Deivasigamani Duraisamy · January 9, 2019 at 10:05 am

If the password is listed in AD, then anyone can easily read it with the help of LDAP queries. Am I correct?

    Pixel Robots. · January 9, 2019 at 10:12 am

    I have not tested using an LDAP query, but as you set permissions on who can see the password anyone doing an LDAP query who does not have permission will not be able to see the password. I have opened Active Directory Users and computers with an account that does not have access to the password and it shows .

    Hope that helps.

    Richard

Ryan · March 4, 2019 at 3:20 am

HI,

May i know is Microsoft LAPS still function if I change the workstation default administrator account to another name (eg: WSadmin)?

Thanks

    Pixel Robots. · March 4, 2019 at 12:11 pm

    Hello,

    LAPS uses the SID of the account and not the name, so you are fine to change it to whatever you like.

    Thanks

    Richard

Ryan · April 2, 2019 at 5:57 am

Hi ,

If I add a group “Help desk” to have permission to view LAPS password.

may i know is any log recorded which members get the local admin password in “help desk” group?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

I agree