LAPS allows you to rotate passwords of your local administrator accounts. It gives you the possibility to view and set admin passwords from commandline or by using the fat client on a management computer. This reduces the risk of one hacked machine comprimising your whole client network. This article will show you how to set it up and give you a few hints about the usage.
You should consider it if:
- Every workstation/server has the same local administrator password
- Some people know the local administrator password
- You do not have a process to change passwords regularly
Table of contents
- Local Administrator Password Solution – LAPS the basics
- Further Readings
Install LAPS on a managed client
On your client you just need the one DLL or just run the LAPS.x64.msi / quiet command to install the AdmPwd GPO Extension. Download here
Alternatively use the following code, if you have no GUI.
Invoke-WebRequest -Uri https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi -OutFile $env:TEMP\LAPS.x64.msi; Start-Process $env:TEMP\LAPS.x64.msi -ArgumentList " /quiet"
Steps needed on your Active Directory servers
This part will cover all the steps you need to do on your Active Directory Servers.
Install LAPS on your active directory server
Run the msi installer from microsoft and install the management Tools, the Fat client is optional. It can be installed on an other management computer to view and reset admin passwords via that computer.
Extend the AD schema to use LAPS
This will exten the schema of your active directory and add the following attributes to your schema.
- ms-Mcs-AdmPwd – Stores the password in clear text
- ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password
Please make sure you do follow the “Restrict the access to authorized users” part. Since the passwords are in clear text you need to prevent unauthorized users from accessing it.
Steps to do so:
- Get an account with the group of Schema Admins (permissions can be removed after the action)
- Import the installed AdmPwd Module
- Open PowerShell (elevated)
The console output should look like this
Preparing a GPO to set the password settings.
First you need to make sure your policy definitons are up to date, to make sure this is the case. Copy the files from C:\Windows\PolicyDefinitions to \\yourdomain.com\sysvol\yourdomain.com\Policies\PolicyDefinitions if everything went right you should see LAPS under Computer Configuration -> Policies -> Administrative Templates -> LAPS.
The LAPS configuration needs to meet the password complexity defined in your domain password policy, otherwise LAPS will not set the passwords accordingly.
Configuring Active Directory permissions
Each machine (that needs to rotate passwords) has to be able to update the newly introduced attributes (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime) in the schema. In order to achieve that we need to allow machines to update those entries. This is done via the a PowerShell command
Set-AdmPwdComputerSelfPermission in the AdmPwd.PS Module
Allowing machines to Save their password
On ever OU you want the computer objects to update their passwords run the following line.
Set-AdmPwdComputerSelfPermission -OrgUnit ‘OU=Workstations,DC=fistoftech,DC=ch’
Restrict the access to authorized users
Find-AdmPwdExtendedRights -OrgUnit 'OU=Workstations,DC=fistoftech,DC=ch' | Select -ExpandProperty ExtendedRightHolders
After identifying who has rights to this Attributes you need to manually remove the “Extended Attributes” right.
In depth information about registry keys and error IDs and further information is in the LAPS_TechnicalSpecification.docx.
Everything you need to know about the implementation of LAPS and how to operate it is in the LAPS_OperationsGuide.docx.
Both can be downloaded here.