Local Administrator Password Solution (LAPS)

Disclaimer:
  • LAPS is an add-on to Active Directory that has been enabled in the University of Oregon AD environment but Information Services does not provide support for it to other departments as part of the Active Directory Service.
  • Departmental IT units that want to implement LAPS in their environment must drive that decision themselves and accept responsibility for implementation decisions and ongoing support of LAPS for their department.

Overview

LAPS is a solution to eliminate the need to manage and track local administrator account passwords for Windows server/workstation machines. This has a few key advantages over the traditional password management process:

  • Machines with LAPS employed have automated randomized password changes
  • Password policies for machines are adjustable
  • Passwords are stored in AD within the computer object
  • Passwords do not have to be known or managed
  • Mass password change efforts may now exclude machines with LAPS employed, as their passwords are changed/randomized on a routine basis
  • Access to passwords can be delegated to help desk workstation technicians or other privileged groups without delegating higher authority

Software

Implementation

Create GPO and Link to Target OU

  • LAPS configuration settings are controlled through GPO.
    • This is found by going into Computer Configuration > Policies > Administrative Templates > LAPS
      Group Policy Management Editor dialog box
  • Settings include:
    • enabling admin password management,
    • password complexity,
    • time between password changes
    • and selected admin account to manage whether that be the built-in administrator or a custom user account.

Configure Permissions to LAPS Attributes on AD Computer Objects

  • LAPS attributes in AD are restricted by default and require an OU Admin account to configure.
  • Permissions changes needed include:
    • allowing computer to update the LAPS attributes of its own AD object
    • allowing users or groups to read the LAPS attributes
    • and allowing users or groups to reset the LAPS attributes
  • The computer object attributes that LAPS uses are: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime
  • Using the AdmPwd PowerShell module, included in the MSI file provided by Microsoft, to perform permissions changes is recommended.

Below are some helpful PowerShell commands using the cmdlets provided by the AdmPwd module: PS C:\> Import-Module AdmPwd.ps

  • Recursively allows computers in target OU to update the LAPS attributes of their own AD objects
    • PS C:\> Set-AdmPwdComputerSelfPermission -OrgUnit "<Target OU>,OU=Units,DC=ad,DC=uoregon,DC=edu"
  • Recursively updates the permissions of all computer objects in target OU to allow entered AD user or group to read the LAPS attributes of said computer objects
    • PS C:\> Set-AdmPwdReadPasswordPermission -OrgUnit "<Target OU>,OU=Units,DC=ad,DC=uoregon,DC=edu" -AllowedPrincipals <AD User or Group>
  • Recursively updates the permissions of all computer objects in target OU to allow entered AD user or group to reset the LAPS attributes of said computer objects
    • PS C:\> Set-AdmPwdResetPasswordPermission -OrgUnit "<Target OU>,OU=Units,DC=ad,DC=uoregon,DC=edu" -AllowedPrincipals <AD User or Group>

Install LAPS Client-Side Extension on Target Systems

  • LAPS requires a locally installed, client-side extension on each system being managed to process the GPO settings.
  • The extension comes with the MSI installer provided by Microsoft and is listed as AdmPwd GPO Extension in the features portion of the installation.

LAPS Setup dialog box showing the AdmPwd GPO Extension

Retrieving Password

PowerShell

  • With AdmPwd.ps Module: Get-AdmPwdPassword <ComputerName>
  • Without AdmPwd.ps Module: Get-ADComputer <ComputerName> -properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime

LAPS UI

Available in the LAPS MSI installer labeled as Fat client UI in the features section.

LAPS UI example dialog box

Active Directory Users and Computers Administration Tool

The password can be viewed in the Attribute Editor tab on desired computer object.

Administrative Password highlighted within the Attribute Editor window in the Managed By tab.

Force Password Reset

Forcing an update of the password on a system is done through updating the next expiration time either through PowerShell or through the LAPS UI client. The password will reset on the next Group Policy refresh following the expiration time.

  • PowerShell requires the AdmPwd.ps module and the cmdlet is: Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>
  • Resetting through the LAPS UI client can be done by searching for the relevant system, entering the next desired expiration time, and pressing the Set button.
  • Note: Administrators can still reset the local administrator password manually through local Administrative Tools but the new password will not be reflected in the computer object in AD and the next reset will occur as scheduled.

Details

Article ID: 51593
Created
Thu 4/5/18 10:50 AM
Modified
Thu 11/3/22 5:04 PM