In Part 3 of our series on Microsoft LAPS (Local Administrator Password Solution), I’ll cover setting up Group Policy for LAPS, installing the client on managed systems, and viewing local Administrator passwords both in the GUI and in PowerShell.
Avatar

The last step in setting up the Microsoft Local Administrator Password Solution (LAPS) after updating the Active Directory (AD) schema and permissions is to install the client application and configure Group Policy.

Configuring Group Policy

In Part 2 of this series, How to set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory, we installed the Management Tools. If you’re using a management station, you’ll want to run one of the LAPS installers (either x86 or x64) and make sure that the GPO Editor templates are selected as part of the install.

Local Administrator Password Solution Custom Setup options for server

Local Administrator Password Solution custom setup options for server

Next, open the Group Policy Management Console (GPMC) and either edit an existing Group Policy Object (GPO) for your computers or create a new one, and then right-click to edit it. In the GPO, go to Computer Configuration > Policies > Administrative Templates > LAPS.

LAPS Policies in the Group Policy Management Console

LAPS policies in the Group Policy Management Console

First, you’ll want to enable password management with LAPS by setting the “Enable local admin password management” policy to Enabled.

Enable local admin password management

Enable local admin password management

Next, you’ll want to enable the password settings and configure your password options. With this setting, you can configure the complexity (capital letters, lowercase letters, numbers, and special characters), length, and maximum password age.

Password Settings for LAPS

Password settings for LAPS

LAPS can detect the local Administrator account using its well-known SID even if you’ve renamed the Administrator account on any of your systems. If you’ve created a secondary local Administrator account and you want LAPS to manage its password, you can set the username of that account using the “Name of administrator account to manage” policy.

Installing the client

The Microsoft LAPS client comes in both x86 and x64 flavors on the Microsoft Download Center. The MSI file defaults to installing just the Group Policy bits without any additi

Name of Administrator account to manage policy

Name of Administrator account to manage policy

onal options. So, you can use your deployment tool of choice and run:

# For 64-bit/x64 systems
 msiexec /q /i \\server\path\LAPS.x64.msi
 # For 32-bit/x86 systems
 msiexec /q /I \\server\path\LAPS.x86.msi

Just remember, LAPS only supports Windows Vista and up for client systems and Windows Server 2003 SP1 on server systems. Support for Windows XP is not included if you still have that floating around in your environment.

If you need assistance deploying the agent out to computers, Joseph has written a great guide on installing applications with Group Policy or System Center Configuration Manager (SCCM). My personal preference is to use Configuration Manager because it gives me access to reporting and lets me know if any clients have errors when trying to install the software.

Viewing passwords with the GUI

Two ways exist to view the password for a computer that has a LAPS-managed Administrator password. The first method is to use Active Directory Users and Computers (ADUC). In ADUC, click View and then confirm that Advanced Features has a check by it. If it doesn’t, clicking it will enable the Advanced Features.

Enable Advanced Features in Active Directory Users and Computers

Enable Advanced Features in Active Directory Users and Computers

Next, find the computer, double-click it, and then click the Attribute Editor tab. If the Attribute Editor tab is missing, either you haven’t enabled the Advanced Features or the account that you’re using doesn’t have appropriate permissions on the computer object. Scroll down until you find the ms-Mcs-AdmPwd attribute to view the password.

ms-Mcs-AdmPwd attribute on the Attribute Editor tab of computer properties

ms-Mcs-AdmPwd attribute on the Attribute Editor tab of computer properties

If you installed the full suite of Admin tools for LAPS, the “Fat client UI” will be installed on your management station. The actual installed application is called LAPS UI and can be found on the Start screen.

LAPS UI on Start Screen

LAPS UI on the Start screen

When you run the LAPS UI application, you’ll need to enter the full name of the computer. Unfortunately, the LAPS application doesn’t currently allow you to search for computers in Active Directory; so, you’ll need to know the full name of the computer. After you enter the computer name, clicking the Search button will display the current Administrator password as well as the date and time that the password will expire. The LAPS UI application also allows you to set a new expiration time or force an immediate expiration. If the password or expiration fields are blank, the account you’re using most likely doesn’t have sufficient permissions to read the attribute in AD.

LAPS UI application showing a computer's local Administrator password

LAPS UI application showing a computer’s local Administrator password

Viewing passwords with PowerShell

The Management Tools also includes a PowerShell module that you can use for viewing passwords and forcing expiration. First, you’ll need to load the AdmPwd.PS module and then use the Get-AdmPwdPassword cmdlet:

Import-Module AdmPwd.PS 
Get-AdmPwdPassword –ComputerName WIN81-X64

Viewing an Administrator password with Get-AdmPwdPassword

Viewing an Administrator password with Get-AdmPwdPassword

If you need to force the password to change, you can use the Reset-AdmPwdPassword cmdlet to force an immediate change to the password:

Reset-AdmPwdPassword –ComputerName WIN81-X64
Adding -WhenEffective allows you to control the date and time that the password will update on the computer:
Reset-AdmPwdPassword –ComputerName WIN81-X64 –WhenEffective "6.14.2015 18:00"
Force a reset of a local Administrator password with Reset-AdmPwdPassword

Conclusion

For free, I’m finding it really hard to make any complaints about Microsoft LAPS. It doesn’t have any of the bells and whistles that some of the paid products include, but it also really isn’t intended to compete with those products. If you’re looking for a simple way to not only randomize local Administrator passwords but also ensure that the passwords are different between systems, I highly recommend deploying Microsoft’s Local Administrator Password Solution in your lab/test environment and giving it a spin.

In my next post I will cover a few frequently ask questions about LAPS.

15 Comments
  1. Avatar
    Andy 8 years ago

    Thanks for writing these up. Got it up and running.

  2. Avatar
    Gary 8 years ago

    This is very helpful, I was writing up a walk through and found this. I hope you don’t mind, I’ve linked to your articles from my blog.

  3. Avatar

    Gary, thanks for the link, but I didn’t write the article. Kyle Beckman is the author. You might want to correct this in your blog. 🙂

  4. Avatar
    Tom 8 years ago

    This is the most understandable documentation on LAPS I have seen. Thanks from all of us!

    One thing I noticed – where it says: “Next, FIND the computer, double-click it, and then click the Attribute Editor tab. If the Attribute Editor tab is missing, either you haven’t enabled the Advanced Features or the account that you’re using doesn’t have appropriate permissions on the computer object.”

    If you actually use “Find…” (do a search for) your computer in AD Users and Computers, for some reason the Attribute Editor tab is not there in Properties. If you scroll on down and dig it out, then it IS there. So weird.

    Anyway, someone noticed that if you –
    1: search and find your Computer as usual,
    2: open its Properties and click “Member Of”,
    3: open Properties of a group in that list,
    4: find your computer,
    5: open its Properties from there and you will see the Attribute Editor tab!

    This reads a little convoluted, but it only takes a few seconds and is quicker than a big AD search, at least for me.

  5. Avatar

    I tried and things are working fine, I can view password from AD attribute but not from the LAP GUI tool nor even from PowerShell.

     

    Error Massage.

    New-AdmPwdKeyPair : SRVRecord _admPwd._tcp.xxx.com not found
    At line:1 char:1
    + New-AdmPwdKeyPair -KeySize 1024
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AdmPwdKeyPair], AutodiscoverException
    + FullyQualifiedErrorId : AdmPwd.Types.AutodiscoverException,AdmPwd.PS.GenerateKeyPair

  6. Avatar
    rajesh 7 years ago

    I would like to know do we need any customisations to be added to that LAPS X64 msi .Or we can just make use of it as it is.

    I am liitle bit confused…as per technical documentation provided in 5.1.3 (I found registry) after installing msi.But I don’t find the registry which is stated in 5.1.2- HKLM\Software\Policies\Microsoft Services\AdmPwd aftr installing .msi.

    Please advise if I can simply package this msi and make use of it as it is.

  7. Avatar
    Jeff 7 years ago

    This is working as described with my laptops and desktops.  I’m trying to apply now to servers and i see the GPO being applied and the application installed, but still it doesn’t seem to be setting the password.  Is there anything special that needs to be done to apply to Server 2008 R2 and above?

  8. Avatar
    Ben Diaz 7 years ago

    We have implemented LAPS here at the company I work for, and I was just curious if there is a way to omit certain letters. Sometimes there can be some confusion as to what letter is upper or lower case. Such as lower case “l” and “1” can sometimes be tough to distinguish. Appreciate any responses that may help. Thanks you

  9. Avatar
    Teppo Vanhatalo 6 years ago

    I have made an updated admin ui for LAPS. The only addition is added support for multidomain environment. More info here
    https://www.linkedin.com/pulse/advanced-laps-ui-multi-domain-environment-teppo-vanhatalo

  10. Avatar
    Rob 6 years ago

    You may want to include something in here (or maybe in part 2) about having to manually copy the ADMX and ADML files from local policy definitions directory to the SYSVOL policy directory on 2008 R2. They don’t show up in GPME automatically.

  11. Avatar
    David Puckhaber 5 years ago

    This is more of a panic than a reply.

    Over three years ago our previous administration installed the AdmPwd application on our domain controllers.  After they all left, three years ago, our desktops were updated to Windows 10 and nobody knew how to get the AdmPwd client installed on the new desktops.  Our previous desktops became unusable and would not connect to the AdmPwd.

    I have been trying to get the passwords using the instructions above but there is no AdmPwd referenced in the Advanced Features.  I am a Domain-Admin as well as AD_Admin so I am sure I have permissions.

    How do I get these passwords so I can fix my AD?

  12. Avatar
    Paul Tower (Rank 1) 5 years ago

    The specs mention Powershell is required.  Is this for both the AD server and the clients?  We turn off powershell via Group Policy for our clients.

    Thanks!

  13. Avatar
    John 4 years ago

    I have successfully implemented LAPS in my infra which has two child domains. But LAPS UI not able to show the password due to "The LDAP server is unavailable" error in client systems even I have checked netlogon service which is functional and healthy. But Am able to use LAPS UI without any issue in Domain Controllers.

  14. Avatar
    james 4 years ago

    Excellent articles on LAPS. Thanks for sharing.

    I used the central store s I had to copy the ADMX (64 bit) and also the AdmPwd.adml to language folder and LAPS appeared in GPMC

  15. Avatar
    Anthony Labrador 2 years ago

    Hello Kyle,

    After following your article:
    3. Set up clients for Microsoft LAPS (Local Administrator Password Solution). Can’t view the password, or even using the UI the password is Empty.

    Is the password is generated? or you can set the password?

    Thanks,
    -Anthony

    avatar

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account