LAPS allows you to rotate passwords of your local administrator accounts. It gives you the possibility to view and set admin passwords from commandline or by using the fat client on a management computer. This reduces the risk of one hacked machine comprimising your whole client network. This article will show you how to set it up and give you a few hints about the usage.

You should consider it if:

  • Every workstation/server has the same local administrator password
  • Some people know the local administrator password
  • You do not have a process to change passwords regularly

Table of contents

Install LAPS on a managed client

On your client you just need the one DLL or just run the LAPS.x64.msi / quiet command to install the AdmPwd GPO Extension. Download here

Alternatively use the following code, if you have no GUI.

Invoke-WebRequest -Uri https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi -OutFile $env:TEMP\LAPS.x64.msi;  Start-Process $env:TEMP\LAPS.x64.msi -ArgumentList " /quiet"

Steps needed on your Active Directory servers

This part will cover all the steps you need to do on your Active Directory Servers.

Install LAPS on your active directory server

Run the msi installer from microsoft and install the management Tools, the Fat client is optional. It can be installed on an other management computer to view and reset admin passwords via that computer.

Extend the AD schema to use LAPS

This will exten the schema of your active directory and add the following attributes to your schema.

  • ms-Mcs-AdmPwd – Stores the password in clear text
  • ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password

Please make sure you do follow the “Restrict the access to authorized users” part. Since the passwords are in clear text you need to prevent unauthorized users from accessing it.

Steps to do so:

  1. Get an account with the group of Schema Admins (permissions can be removed after the action)
  2. Import the installed AdmPwd Module
  3. Open PowerShell (elevated)
  4. Import-module AdmPwd.PS
  5. Run Update-AdmPwdADSchema

The console output should look like this

Preparing a GPO to set the password settings.

First you need to make sure your policy definitons are up to date, to make sure this is the case. Copy the files from C:\Windows\PolicyDefinitions to \\yourdomain.com\sysvol\yourdomain.com\Policies\PolicyDefinitions if everything went right you should see LAPS under Computer Configuration -> Policies -> Administrative Templates -> LAPS.

The LAPS configuration needs to meet the password complexity defined in your domain password policy, otherwise LAPS will not set the passwords accordingly.

Configuring Active Directory permissions

Each machine (that needs to rotate passwords) has to be able to update the newly introduced attributes (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime) in the schema. In order to achieve that we need to allow machines to update those entries. This is done via the a PowerShell command Set-AdmPwdComputerSelfPermission in the AdmPwd.PS Module

Allowing machines to Save their password

On ever OU you want the computer objects to update their passwords run the following line.

Set-AdmPwdComputerSelfPermission -OrgUnit ‘OU=Workstations,DC=fistoftech,DC=ch’

Restrict the access to authorized users

Find-AdmPwdExtendedRights -OrgUnit 'OU=Workstations,DC=fistoftech,DC=ch' | Select -ExpandProperty ExtendedRightHolders

After identifying who has rights to this Attributes you need to manually remove the “Extended Attributes” right.

Further Readings:

In depth information about registry keys and error IDs and further information is in the LAPS_TechnicalSpecification.docx.

Everything you need to know about the implementation of LAPS and how to operate it is in the LAPS_OperationsGuide.docx.

Both can be downloaded here.