The LAPS solution from Microsoft has been around for about 6 years now. But I keep running into customers who, on the one hand, have never heard of this and, on the other hand, have no alternative in place.

But back to the beginning. What is LAPS?

LAPS is a charming, simple solution to change the passwords of the local administrators on the systems at regular intervals.

• Very simple solution that extends the active directory schema and puts the current password and the expiration time right to the computer object
• The password attribute is only readable by defines groups.
• The solution is at NO COST! Yes. It’s for free.

So, if you have no solution in place, that changes the local Administrator Passwords in regular intervals – INSTALL IT NOW.

Installation

Download the bits directly from Microsoft: LINK

The download contains 6 files:

• LAPS.x86.msi (ADMX Templates, PowerShell Module, Admin Client UI and GPO Client Side Extensions for x86 OS)
• LAPS.x64.msi (ADMX Templates, PowerShell Module, Admin Client UI and GPO Client Side Extensions for x64 OS)
• LAPS.ARM64.msi (ADMX Templates, PowerShell Module, Admin Client UI and GPO Client Side Extensions for ARM64 OS)
• LAPS_TechnicalSpecification.docx
• LAPS_OperationGuide.docx
• LAPS_Datasheet.docx

Install Client to get GPO Templates and PowerShell Module

• 

• 

• 

• 

• 

When you have installed the LAPS MSI Package you’ll find the ADMX and ADML file under C:\Windows\PolicyDefinitions

Copy AdmPwd.admx and AdmPwd.adml (in en-US Folder) to your Central Policy Store (\\my.dom\SYSVOL\my.dom\policies\PolicyDefinitions)

Extend Active Direcotry Schema

As described in the introduction, LAPS needs two additional schema attributes for the computer schema class.

• ms-Mcs-AdmPwdExpirationTime

• ms-Mcs-AdmPwd

Both Attributes can be added with the provided PowerShell Module from Microsoft.

Please start an administrative PowerShell and execute the following command

Give Self write permissions on Attributes

So that the computer can write to the attribute in the active directory, self permissions must be asigned accordingly.

This can also be done by powershell.

Please execute the following command:

Set-AdmPwdComputerSelfPermission -OrgUnit "DC=my,DC=dom"

DC=my,DC=dom must of course be replaced with the Distinguished Name of the desired OU. I normally use the DN of the Domain.

Optional: Enable Auditing

You can activate audit log so that you get a eventlog entry when someone read an administrator password.

Set-AdmPwdAuditing -OrgUnit "dc=my,dc=domain" -AuditedPrincipals "Admin Users" -AuditType Success,Failure

Install Group Policy Extensions on Clients

If you have no software distribution solution the simples way to install the MSI Package to clients is by GPO.

You can either create one policy and add both x86 and x64 msi packages or you can create two Installation Policies and separate them.

When you use one Policy for both installation methods, please note that you have to set “Make this 32-bit X86 application available to Win64 machines” in the x86 software installation job.

If you make two GPOs you have to distinguish between x64 and x86. WMI Filters are your friend here.

So create two WMI Filters and asign them to the propriate GPO

• 

• 

You can also install the client via command line:

msiexec /i LAPS.x64.msi /quiet

Another option is to manually register the AdmPwd.dll on the Clients to add the Client Side Extensions

regsvr32.exe AdmPwd.dll

Configure LAPS settings

To configure password change interval or coplexity use use the following GPOs

Administration

If you have installed the GPO extensions and configured the policies accordingly, the local administrator passwords on the target systems of the GPO should now be changed soon.

You can check this by opening the LAPS UI and looking for a computer.

If the password is displayed, it has already been changed. If not, it either takes a while (GPO refresh interval) or the GPO extension has not been installed.

You can see the current password and you have also the option to manually set a new expirtaion time.

Another way to retreive the current password is by PowerShell

Get-AdmPwdPassword -Computername <Computername>

It’s also possible to set the expiry time by PowerShell

Reset-AdmPwdPassword -ComputerName <Computername> -WhenEffective <DateTime>

Conclusion

If you have no local administrator password change solution in place – start using this one!

External Links

• LAPS Download Page (Microsoft)