SID-500

Home » Security » Active Directory: Installing and Configuring Local Administrator Password Solution (LAPS)

Active Directory: Installing and Configuring Local Administrator Password Solution (LAPS)

This step-by-step guide demonstrates the integration of LAPS in an Active Directory environment. The user passwords of Active Directory users are stored central on all Domain Controllers. But what about the local account of the administrator? Many use the same password on all computers. A nightmare in terms of security. LAPS can store and change local administrator passwords centrally.

Downloading the LAPS Installer

LAPS should be installed on a management server (in my case, a Windows Server 2016 domain controller). First, we have to download the LAPS Installer: https://www.microsoft.com/en-us/download/details.aspx?id=46899

Installing  LAPS on the Management-Server

During setup, it’s important to select all features, otherwise only the client-side extensions (which are also required for the clients) will be installed.

1.PNG

Modifying the Active Directory Schema

Two attributes must be added to the computer objects:

  • msMcsAdmPwd
  • msMcsAdmPwdExpirationTime

Both attributes can be created by using LAPS commands in PowerShell. The user must be a member of the Active Directory Schema Admins group. Open Windows PowerShell and run

Import-Module AdmPwd.PS
Update-AdmPwdADSchema

3.PNG

Configuring Permissions

Domain computers must have write permissions to renew the password of the local administrator. In my case, I grant access for all computers of the organizational unit “Workstations”.

Set-AdmPwdComputerSelfPermission -Identity Workstations

4.PNG

Now we have to configure group permissions. All group members of this group will be able to read the local password of each computer centrally. I grant “read password permission” for the domain admins group.

Set-AdmPwdReadPasswordPermission -OrgUnit Workstations -AllowedPrincipals "Domain-Admins"

Next we configure the right to reset the password of the local administrator account. As before, I allow it for all Domain Admins.

Set-AdmPwdResetPasswordPermission -OrgUnit Workstations -AllowedPrincipals "Domain-Admins"

Installing LAPS on the Client Computers manually

In order to use LAPS, the AdmPwd GPO Extensions must be installed on all client computers. This can be done either manually or via GPO. In my case, I manually install the previously used tool on a Windows 10 system. All you need to do is to install only the client-side extensions.

7.PNG

Installing LAPS on the Client Computers by using Group Policy Software Installation (Bulk)

Well, it’s boring to install LAPS on hundred or thousand computers manually. In a production environment you can install the software by using group policy. This now takes some time. Are you ready? 😉

Create a shared folder

First, we have to create a shared folder and put the installation files in it. All we need is PowerShell and the installation package. For creating a shared folder on the management server open Windows PowerShell and run

New-Item -Itemtype Directory -Name LAPS -Path C:\

23.PNG

Once the folder is created, activate sharing.

New-SmbShare -Name LAPS -Path C:\LAPS\

23.PNG

Now copy the installation package into the folder.

23.PNG

Configure a GPO for Software Installation

On a domain controller, open the group management console (gpmc.msc). Create a new GPO by following my screenshots.

1.PNG

Provide a name for the GPO.

2.PNG

Click on Edit.

3.PNG

Navigate to Computer Configuration – Policies – Software Settings. Right click Software Installation and select New – Package.

4.PNG

Pay attention to the path. You have to provide the UNC Path of the previously configured shared folder. Do not start browsing your computer to find the package! Enter the path to the folder manually by using the format \\ServerName\SharedFolderName\LAPS.x64.msi and click Open.

5.PNG

Next, select Assigned.

6.PNG

Review your work.

7.PNG

Finally, link the GPO to an organizational unit. Make sure, that you link it to the OU of your client computers.

8.PNG

For testing, run gpupdate /force on one of your client computers. Then restart the computer. After restarting check Programs and Features.

9.PNG

Let’s move on configuring the final steps.

Enabling LAPS on all Client Computers

The last step is to create a GPO for LAPS. On a domain controller, open the group policy management console (gpmc.msc) and create a new GPO named LAPS. Open the GPO and navigate to Computer Configuration – Policies – Administrative Templates – LAPS. Enable “Enable local admin password mangement”.

Unbenannt.PNG

Then link the GPO to the Organizational Unit.

Unbenannt.PNG

Run gpupdate /force on all Client Computers. You can do this remotely: PowerShell: Force gpupdate on all Domain Computers

Showing Local Administrator Passwords

On the management server open LAPS.

Unbenannt.PNG

Enter the computer name of one of your clients.

11.PNG

As an alternative, open Windows PowerShell and run

Import-Module AdmPwd.PS
Get-AdmPwdPassword -ComputerName ComputerName | Format-List

12.PNG

Advanced Settings

Changing Password Policies

With LAPS you can enforce local administrator password policies. Open the previously created GPO and configure the appropriate settings.

Unbenannt.PNG

Renaming the Local Administrator Account

Furthermore, it’s possible to rename the administrator account.

Unbenannt.PNG

Have fun with LAPS!

More Informations about LAPS here: Technet: “Local Administrator Password Solution”.


8 Comments

  1. Adriano Jorge says:

    Very goodbye thanks for sharing.

    Liked by 1 person

  2. Jeff says:

    is there any way to reset the local admin password for every 4 hours?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

WHOIS

My name is Patrick Grünauer (pewa2303). I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Patrick Gruenauer
Follow SID-500 on WordPress.com