You wish to configure the Local Administrator Password Solution (LAPS) in your Active Directory environment.
Setting up LAPS is a relatively simple process. For additional information, Microsoft has some excellent documentation on setting up LAPS, which you can download here. There is also a webcast we did on this topic, which you can see here.
Kris Powell has written scripts to automate the PowerShell portion of this process, retrieve the local LAPS admin password, and reset a local LAPS admin password. They are attached at the end of this article. For more detailed usage of these scripts, please see the following webcast:
LAPS configuration is covered in the following sections:
Setting Up the Management Machine
Extending the Active Directory (AD) Schema and Setting up Rights
Group Policy Settings
1. Download the LAPS MSI files and documentation: https://www.microsoft.com/en-us/download/details.aspx?id=46899
2. Choose a management machine. This machine can be any domain-joined machine you will use (such as your workstation) to review the credentials of the LAPS account for a particular machine and modify the expiration time (if allowed by Group Policy). It is not recommended to use a DC as the management machine. You may have as many management machines as needed.
3. Install the MSI on the management machine with the following settings:
NOTE: The PowerShell module is optional, but recommended, as LAPS can be managed using PowerShell. For the remainder of this document, it is assumed you installed the PowerShell module and you are a domain administrator.
4. Extend the schema of the Active Directory domain by running the following from PowerShell:
Load the module from AdmPwd.PS
Then update the schema with the following command:
Your results should look something like this:
From Microsoft: "If you have an RODC installed in the environment and you need to replicate the value of the attribute ms-Mcs-AdmPwd to the RODC. You will need to change the 10th bit of the searchFlags attribute value for ms-Mcs-AdmPwd schema objet to 0 (substract 512 from the current value of the searchFlags attribute). For more information on Adding Attributes to or Removing attributes from the RODC Filtered Attribute Set, please refer to http://technet.microsoft.com/en-us/library/cc754794(v=WS.10).aspx."
You can use ADSI Edit to view the schema modifications:
5. Using the same PowerShell session (if you use a new session, remember to import the module using the Import-module AdmPwd.PS command), check the extended rights for users and groups in your Active Directory domain (users and groups with extended rights have the ability to read the LAPS password and other confidential attributes):
Find-AdmPwdExtendedrights -identity AA_Computers | Format-Table
Which looks like this for our lab domain:
6. Set the SELF built-in account on all machines to Write-level access to the LAPS password and expiration (again, using the OU of the computers that will be LAPS-configured):
Set-AdmPwdComputerSelfPermission -OrgUnit AA_Computers
7. Now set user access rights, which is an extended right of the ms-Mcs-AdmPwd for all users that will be able to read the stored LAPS account password on computers in the OU in step 6.
Set-AdmPwdReadPasswordPermission -OrgUnit AA_Computers -AllowedPrincipals LAPSAdmins
8. Set additional user access rights for ms-Mcs-AdmPwdExpirationTime for all users that will be able to write the stored LAPS account password on computers in the OU in step 6. This right allows users to force password resets for the LAPS account on managed computers, if allowed by Group Policy.
Set-AdmPwdResetPasswordPermission -OrgUnit AA_Computers -AllowedPrincipals LAPSAdmins
This concludes the user and AD extension setup portion.
9. On a machine that has AD GPMC access (gpmc.msc), run the LAPS MSI to install the GPO Editor templates. This will install the ADMX and ADML files for LAPS. No other features are required or recommended.
10. Once the GPO Editor templates have been installed, open GPMC, create a new Group Policy Object, edit that object, and navigate to Computer Configuration > Administrative Templates > LAPS.
11. Define the password settings for managed computers:
12. Configure the name of the LAPS-managed administrator account. In this example, it's LAPSAdmin:
If this policy is not configured, LAPS will default to using the local built-in Administrator account. We recommend creating your own LAPS administrator account for a variety of reasons, one of which is that the default Administrator account is often disabled by default. Another reason is that a dedicated LAPS administrator account is easier to identify on the machine as existing (or not) and therefore open to accurate reporting within PDQ Inventory.
13. Enable LAPS. This turns on local admin password management.
14. Optional: Do not allow password expiration time longer than required by policy. This refers to step 11. If this is enabled, group policy will not allow LAPSAdmins to change the password expiration on a machine longer than allowed by the policy in step 11.
15. Apply the changes and link this to the AA_Computers OU.
16. Next, deploy the MSI to all managed computers using PDQ Deploy. Start by opening up PDQ Deploy and creating a New Package from either the ribbon or Ctrl+N.
17. Name the package something meaningful and add two Install Steps and one Command Step.
18. In the first install step, point to the x64 MSI installer file. Since we are not using the default Administrator account and instead using LAPSAdmin, we use CUSTOMADMINNAME=LAPSAdmin as the MSI Parameter. Change this to match your custom LAPS admin name.
Also set the Conditions to only deploy to x64 machines:
19. Repeat step 18 on the second install step for the x86 MSI, changing the MSI install file and Conditions to match the x86 architecture.
20. Finally, run gpupdate in the Command Step:
21. Save, Deploy, and enjoy!
22. Check a managed machine to ensure the LAPSAdmin account is a local administrator:
23. Now, login to the management machine (from step 2) using an account that is allowed to read the LAPS password and open the LAPS UI. Put in a computer name from the AA_Computers OU and click Search.
You have now successfully configured LAPS in your environment.
Microsoft’s LAPS Download: Local Administrator Password Solution (LAPS)
Article: LAPS Integration With PDQ Inventory And PDQ Deploy
Video: Configuring LAPS and PDQ