- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Configuring Group PolicyIn Part 2 of this series, How to set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory, we installed the Management Tools. If you’re using a management station, you’ll want to run one of the LAPS installers (either x86 or x64) and make sure that the GPO Editor templates are selected as part of the install.
Local Administrator Password Solution custom setup options for server
LAPS policies in the Group Policy Management ConsoleFirst, you’ll want to enable password management with LAPS by setting the “Enable local admin password management” policy to Enabled.
Enable local admin password managementNext, you’ll want to enable the password settings and configure your password options. With this setting, you can configure the complexity (capital letters, lowercase letters, numbers, and special characters), length, and maximum password age.
Password settings for LAPS
Installing the client ^The Microsoft LAPS client comes in both x86 and x64 flavors on the Microsoft Download Center. The MSI file defaults to installing just the Group Policy bits without any additi
Name of Administrator account to manage policyonal options. So, you can use your deployment tool of choice and run:
# For 64-bit/x64 systems msiexec /q /i \\server\path\LAPS.x64.msi # For 32-bit/x86 systems msiexec /q /I \\server\path\LAPS.x86.msiJust remember, LAPS only supports Windows Vista and up for client systems and Windows Server 2003 SP1 on server systems. Support for Windows XP is not included if you still have that floating around in your environment. If you need assistance deploying the agent out to computers, Joseph has written a great guide on installing applications with Group Policy or System Center Configuration Manager (SCCM). My personal preference is to use Configuration Manager because it gives me access to reporting and lets me know if any clients have errors when trying to install the software.
Viewing passwords with the GUI ^Two ways exist to view the password for a computer that has a LAPS-managed Administrator password. The first method is to use Active Directory Users and Computers (ADUC). In ADUC, click View and then confirm that Advanced Features has a check by it. If it doesn’t, clicking it will enable the Advanced Features.
Enable Advanced Features in Active Directory Users and ComputersNext, find the computer, double-click it, and then click the Attribute Editor tab. If the Attribute Editor tab is missing, either you haven’t enabled the Advanced Features or the account that you’re using doesn’t have appropriate permissions on the computer object. Scroll down until you find the ms-Mcs-AdmPwd attribute to view the password.
ms-Mcs-AdmPwd attribute on the Attribute Editor tab of computer propertiesIf you installed the full suite of Admin tools for LAPS, the “Fat client UI” will be installed on your management station. The actual installed application is called LAPS UI and can be found on the Start screen.
LAPS UI on the Start screenWhen you run the LAPS UI application, you’ll need to enter the full name of the computer. Unfortunately, the LAPS application doesn’t currently allow you to search for computers in Active Directory; so, you’ll need to know the full name of the computer. After you enter the computer name, clicking the Search button will display the current Administrator password as well as the date and time that the password will expire. The LAPS UI application also allows you to set a new expiration time or force an immediate expiration. If the password or expiration fields are blank, the account you’re using most likely doesn’t have sufficient permissions to read the attribute in AD.
LAPS UI application showing a computer’s local Administrator password
Viewing passwords with PowerShell ^The Management Tools also includes a PowerShell module that you can use for viewing passwords and forcing expiration. First, you’ll need to load the AdmPwd.PS module and then use the Get-AdmPwdPassword cmdlet:
Import-Module AdmPwd.PS Get-AdmPwdPassword –ComputerName WIN81-X64
Viewing an Administrator password with Get-AdmPwdPasswordIf you need to force the password to change, you can use the Reset-AdmPwdPassword cmdlet to force an immediate change to the password:
Reset-AdmPwdPassword –ComputerName WIN81-X64 Adding -WhenEffective allows you to control the date and time that the password will update on the computer: Reset-AdmPwdPassword –ComputerName WIN81-X64 –WhenEffective "6.14.2015 18:00" Force a reset of a local Administrator password with Reset-AdmPwdPassword