In Part 3 of our series on Microsoft LAPS (Local Administrator Password Solution), I’ll cover setting up Group Policy for LAPS, installing the client on managed systems, and viewing local Administrator passwords both in the GUI and in PowerShell.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

The last step in setting up the Microsoft Local Administrator Password Solution (LAPS) after updating the Active Directory (AD) schema and permissions is to install the client application and configure Group Policy.

Configuring Group Policy

In Part 2 of this series, How to set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory, we installed the Management Tools. If you’re using a management station, you’ll want to run one of the LAPS installers (either x86 or x64) and make sure that the GPO Editor templates are selected as part of the install.

Local Administrator Password Solution Custom Setup options for server

Local Administrator Password Solution custom setup options for server

Next, open the Group Policy Management Console (GPMC) and either edit an existing Group Policy Object (GPO) for your computers or create a new one, and then right-click to edit it. In the GPO, go to Computer Configuration > Policies > Administrative Templates > LAPS.

LAPS Policies in the Group Policy Management Console

LAPS policies in the Group Policy Management Console

First, you’ll want to enable password management with LAPS by setting the “Enable local admin password management” policy to Enabled.

Enable local admin password management

Enable local admin password management

Next, you’ll want to enable the password settings and configure your password options. With this setting, you can configure the complexity (capital letters, lowercase letters, numbers, and special characters), length, and maximum password age.

Password Settings for LAPS

Password settings for LAPS

LAPS can detect the local Administrator account using its well-known SID even if you’ve renamed the Administrator account on any of your systems. If you’ve created a secondary local Administrator account and you want LAPS to manage its password, you can set the username of that account using the “Name of administrator account to manage” policy.

Installing the client ^

The Microsoft LAPS client comes in both x86 and x64 flavors on the Microsoft Download Center. The MSI file defaults to installing just the Group Policy bits without any additi

Name of Administrator account to manage policy

Name of Administrator account to manage policy

onal options. So, you can use your deployment tool of choice and run:

Just remember, LAPS only supports Windows Vista and up for client systems and Windows Server 2003 SP1 on server systems. Support for Windows XP is not included if you still have that floating around in your environment.

If you need assistance deploying the agent out to computers, Joseph has written a great guide on installing applications with Group Policy or System Center Configuration Manager (SCCM). My personal preference is to use Configuration Manager because it gives me access to reporting and lets me know if any clients have errors when trying to install the software.

Viewing passwords with the GUI ^

Two ways exist to view the password for a computer that has a LAPS-managed Administrator password. The first method is to use Active Directory Users and Computers (ADUC). In ADUC, click View and then confirm that Advanced Features has a check by it. If it doesn’t, clicking it will enable the Advanced Features.

Enable Advanced Features in Active Directory Users and Computers

Enable Advanced Features in Active Directory Users and Computers

Next, find the computer, double-click it, and then click the Attribute Editor tab. If the Attribute Editor tab is missing, either you haven’t enabled the Advanced Features or the account that you’re using doesn’t have appropriate permissions on the computer object. Scroll down until you find the ms-Mcs-AdmPwd attribute to view the password.

ms-Mcs-AdmPwd attribute on the Attribute Editor tab of computer properties

ms-Mcs-AdmPwd attribute on the Attribute Editor tab of computer properties

If you installed the full suite of Admin tools for LAPS, the “Fat client UI” will be installed on your management station. The actual installed application is called LAPS UI and can be found on the Start screen.

LAPS UI on Start Screen

LAPS UI on the Start screen

When you run the LAPS UI application, you’ll need to enter the full name of the computer. Unfortunately, the LAPS application doesn’t currently allow you to search for computers in Active Directory; so, you’ll need to know the full name of the computer. After you enter the computer name, clicking the Search button will display the current Administrator password as well as the date and time that the password will expire. The LAPS UI application also allows you to set a new expiration time or force an immediate expiration. If the password or expiration fields are blank, the account you’re using most likely doesn’t have sufficient permissions to read the attribute in AD.

LAPS UI application showing a computer's local Administrator password

LAPS UI application showing a computer’s local Administrator password

Viewing passwords with PowerShell ^

The Management Tools also includes a PowerShell module that you can use for viewing passwords and forcing expiration. First, you’ll need to load the AdmPwd.PS module and then use the Get-AdmPwdPassword cmdlet:

Viewing an Administrator password with Get-AdmPwdPassword

Viewing an Administrator password with Get-AdmPwdPassword

If you need to force the password to change, you can use the Reset-AdmPwdPassword cmdlet to force an immediate change to the password:

Conclusion

For free, I’m finding it really hard to make any complaints about Microsoft LAPS. It doesn’t have any of the bells and whistles that some of the paid products include, but it also really isn’t intended to compete with those products. If you’re looking for a simple way to not only randomize local Administrator passwords but also ensure that the passwords are different between systems, I highly recommend deploying Microsoft’s Local Administrator Password Solution in your lab/test environment and giving it a spin.

In my next post I will cover a few frequently ask questions about LAPS.

Win the monthly 4sysops member prize for IT pros

Share
0

10 Comments
  1. Andy 3 years ago

    Thanks for writing these up. Got it up and running.

    0

  2. Gary 2 years ago

    This is very helpful, I was writing up a walk through and found this. I hope you don't mind, I've linked to your articles from my blog.

    0

  3. Michael Pietroforte 2 years ago

    Gary, thanks for the link, but I didn't write the article. Kyle Beckman is the author. You might want to correct this in your blog. 🙂

    0

  4. Tom 2 years ago

    This is the most understandable documentation on LAPS I have seen. Thanks from all of us!

    One thing I noticed - where it says: "Next, FIND the computer, double-click it, and then click the Attribute Editor tab. If the Attribute Editor tab is missing, either you haven’t enabled the Advanced Features or the account that you’re using doesn’t have appropriate permissions on the computer object."

    If you actually use "Find..." (do a search for) your computer in AD Users and Computers, for some reason the Attribute Editor tab is not there in Properties. If you scroll on down and dig it out, then it IS there. So weird.

    Anyway, someone noticed that if you -
    1: search and find your Computer as usual,
    2: open its Properties and click "Member Of",
    3: open Properties of a group in that list,
    4: find your computer,
    5: open its Properties from there and you will see the Attribute Editor tab!

    This reads a little convoluted, but it only takes a few seconds and is quicker than a big AD search, at least for me.

    0

  5. Basil Shaikh 2 years ago

    I tried and things are working fine, I can view password from AD attribute but not from the LAP GUI tool nor even from PowerShell.

     

    Error Massage.

    New-AdmPwdKeyPair : SRVRecord _admPwd._tcp.xxx.com not found
    At line:1 char:1
    + New-AdmPwdKeyPair -KeySize 1024
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AdmPwdKeyPair], AutodiscoverException
    + FullyQualifiedErrorId : AdmPwd.Types.AutodiscoverException,AdmPwd.PS.GenerateKeyPair

    0

  6. rajesh 1 year ago

    I would like to know do we need any customisations to be added to that LAPS X64 msi .Or we can just make use of it as it is.

    I am liitle bit confused...as per technical documentation provided in 5.1.3 (I found registry) after installing msi.But I don't find the registry which is stated in 5.1.2- HKLM\Software\Policies\Microsoft Services\AdmPwd aftr installing .msi.

    Please advise if I can simply package this msi and make use of it as it is.

    0

  7. Jeff 1 year ago

    This is working as described with my laptops and desktops.  I'm trying to apply now to servers and i see the GPO being applied and the application installed, but still it doesn't seem to be setting the password.  Is there anything special that needs to be done to apply to Server 2008 R2 and above?

    1+

  8. Ben Diaz 8 months ago

    We have implemented LAPS here at the company I work for, and I was just curious if there is a way to omit certain letters. Sometimes there can be some confusion as to what letter is upper or lower case. Such as lower case "l" and "1" can sometimes be tough to distinguish. Appreciate any responses that may help. Thanks you

    1+

  9. Teppo Vanhatalo 7 months ago

    I have made an updated admin ui for LAPS. The only addition is added support for multidomain environment. More info here
    https://www.linkedin.com/pulse/advanced-laps-ui-multi-domain-environment-teppo-vanhatalo

    1+

  10. Rob 3 months ago

    You may want to include something in here (or maybe in part 2) about having to manually copy the ADMX and ADML files from local policy definitions directory to the SYSVOL policy directory on 2008 R2. They don't show up in GPME automatically.

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2018

Log in with your credentials

or    

Forgot your details?

Create Account