Today we will deploy Microsoft LAPS solution to manage local administrator passwords in computers. Its an excellent tool that takes the burden of rotation of local administrator account password or to avoid cases when all workstation have the same password for local administrator account.
First we need to download LAPS from the MS download center and install it on Management Computer (Domain Controller). LAPS is installed to “%ProgramFiles%\LAPS”.
For “Managed computers” we can run the installer to install same components or can register “AdmPwd.dll” using following command. For client machines this component is enough. It installs GPO Client Side Extensions for LAPS
Next we need to extend Active Directory Schema to contain two new attributes that store the password of the managed local Administrator account for each computer and the timestamp of password expiration. Both attributes are added to the may-contain attribute set of the computer class.
ms-Mcs-AdmPwd – Stores the password in clear text
ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password
If you have an RODC installed in the environment and you need to replicate the value of the attribute ms-Mcs-AdmPwd to the RODC, you will need to change the 10th bit of the searchFlags attribute value for ms-Mcs-AdmPwd schema objet to 0 (substract 512 from the current value of the searchFlags attribute). For more information on Adding Attributes to or Removing attributes from the RODC Filtered Attribute Set, please refer to http://technet.microsoft.com/en-us/library/cc754794(v=WS.10).aspx.
Next we need to give permissions to Computer accounts so that they can manage local administrator password.
Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>
Set-AdmPwdComputerSelfPermission -OrgUnit LAPS_Computers
To quickly find which security principals have extended rights to the OU you can use PowerShell cmdlet.
Find-AdmPwdExtendedrights -identity <OU name> | Format-Table
Find-AdmPwdExtendedrights -identity LAPS_Computers | Format-Table
To give permission to users to view local administrator password
Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>
Set-AdmPwdReadPasswordPermission -OrgUnit LAPS_Computers -AllowedPrincipals secops\LAPS_Admins
In order to allow users to reset password we need to give write permission to ms-Mcs-AdmPwdExpirationTime attribute of computer accounts.
Set-AdmPwdResetPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>
Set-AdmPwdResetPasswordPermission -OrgUnit LAPS_Computers -AllowedPrincipals secops\LAPS_Admins
We need to configure LAPS GPO settings and apply GPO to the desired OU. In our case I created “LAPS_Computers” OU and placed all computers whose local admin password will be managed by LAPS to this OU.
If you want to manage password of custom Local administrator account you can do this by indicating account in name in “AdminAccountName” GPO setting. In our case this is “LADMIN”.
“ms-Mcs-AdmPwd” attribute stores password only for one account and if you have default local Administrator account and indicated custom local administrator account as in our case password for the custom account will be managed.
To view or reset password we can user LAPS UI C:\Program Files\LAPS\AdmPwd.UI.exe)
To view and reset password using Powershell:
Get-AdmPwdPassword -ComputerName <computername>
Get-AdmPwdPassword -ComputerName SRV1
Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>
Reset-AdmPwdPassword -ComputerName SRV1 -WhenEffective <date time>
Reset-AdmPwdPassword -ComputerName SRV1 -WhenEffective (get-date)