Latest posts by Kyle Beckman (see all)
- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
The last step in setting up the Microsoft Local Administrator Password Solution (LAPS) after updating the Active Directory (AD) schema and permissions is to install the client application and configure Group Policy.
Configuring Group Policy
In Part 2 of this series, How to set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory, we installed the Management Tools. If you’re using a management station, you’ll want to run one of the LAPS installers (either x86 or x64) and make sure that the GPO Editor templates are selected as part of the install.
Local Administrator Password Solution custom setup options for server
Next, open the Group Policy Management Console (GPMC) and either edit an existing Group Policy Object (GPO) for your computers or create a new one, and then right-click to edit it. In the GPO, go to Computer Configuration > Policies > Administrative Templates > LAPS.
LAPS policies in the Group Policy Management Console
First, you’ll want to enable password management with LAPS by setting the “Enable local admin password management” policy to Enabled.
Enable local admin password management
Next, you’ll want to enable the password settings and configure your password options. With this setting, you can configure the complexity (capital letters, lowercase letters, numbers, and special characters), length, and maximum password age.
Password settings for LAPS
LAPS can detect the local Administrator account using its well-known SID even if you’ve renamed the Administrator account on any of your systems. If you’ve created a secondary local Administrator account and you want LAPS to manage its password, you can set the username of that account using the “Name of administrator account to manage” policy.
Installing the client ^
The Microsoft LAPS client comes in both x86 and x64 flavors on the Microsoft Download Center. The MSI file defaults to installing just the Group Policy bits without any additi
Name of Administrator account to manage policy
onal options. So, you can use your deployment tool of choice and run:
# For 64-bit/x64 systems
msiexec /q /i <a href="file:///\\server\path\LAPS.x64.msi">\\server\path\LAPS.x64.msi</a>
# For 32-bit/x86 systems
msiexec /q /I <a href="file:///\\server\path\LAPS.x86.msi">\\server\path\LAPS.x86.msi</a>
Just remember, LAPS only supports Windows Vista and up for client systems and Windows Server 2003 SP1 on server systems. Support for Windows XP is not included if you still have that floating around in your environment.
If you need assistance deploying the agent out to computers, Joseph has written a great guide on installing applications with Group Policy or System Center Configuration Manager (SCCM). My personal preference is to use Configuration Manager because it gives me access to reporting and lets me know if any clients have errors when trying to install the software.
Viewing passwords with the GUI ^
Two ways exist to view the password for a computer that has a LAPS-managed Administrator password. The first method is to use Active Directory Users and Computers (ADUC). In ADUC, click View and then confirm that Advanced Features has a check by it. If it doesn’t, clicking it will enable the Advanced Features.
Enable Advanced Features in Active Directory Users and Computers
Next, find the computer, double-click it, and then click the Attribute Editor tab. If the Attribute Editor tab is missing, either you haven’t enabled the Advanced Features or the account that you’re using doesn’t have appropriate permissions on the computer object. Scroll down until you find the ms-Mcs-AdmPwd attribute to view the password.
ms-Mcs-AdmPwd attribute on the Attribute Editor tab of computer properties
If you installed the full suite of Admin tools for LAPS, the “Fat client UI” will be installed on your management station. The actual installed application is called LAPS UI and can be found on the Start screen.
LAPS UI on the Start screen
When you run the LAPS UI application, you’ll need to enter the full name of the computer. Unfortunately, the LAPS application doesn’t currently allow you to search for computers in Active Directory; so, you’ll need to know the full name of the computer. After you enter the computer name, clicking the Search button will display the current Administrator password as well as the date and time that the password will expire. The LAPS UI application also allows you to set a new expiration time or force an immediate expiration. If the password or expiration fields are blank, the account you’re using most likely doesn’t have sufficient permissions to read the attribute in AD.
LAPS UI application showing a computer’s local Administrator password
Viewing passwords with PowerShell ^
The Management Tools also includes a PowerShell module that you can use for viewing passwords and forcing expiration. First, you’ll need to load the AdmPwd.PS module and then use the Get-AdmPwdPassword cmdlet:
Get-AdmPwdPassword –ComputerName WIN81-X64
Viewing an Administrator password with Get-AdmPwdPassword
If you need to force the password to change, you can use the Reset-AdmPwdPassword cmdlet to force an immediate change to the password:
Reset-AdmPwdPassword –ComputerName WIN81-X64
Adding -WhenEffective allows you to control the date and time that the password will update on the computer:
Reset-AdmPwdPassword –ComputerName WIN81-X64 –WhenEffective "6.14.2015 18:00"
Force a reset of a local Administrator password with Reset-AdmPwdPassword
For free, I’m finding it really hard to make any complaints about Microsoft LAPS. It doesn’t have any of the bells and whistles that some of the paid products include, but it also really isn’t intended to compete with those products. If you’re looking for a simple way to not only randomize local Administrator passwords but also ensure that the passwords are different between systems, I highly recommend deploying Microsoft’s Local Administrator Password Solution in your lab/test environment and giving it a spin.
In my next post I will cover a few frequently ask questions about LAPS.