Set up and configure Microsoft Local Administrator Password Solution (LAPS)!

MVP

 

Dear Microsoft and Active Directory Friends,

 

Imagine the following scenario. All your systems (Windows clients) have been set up on the basis of a so-called "golden image". "Golden image" means that you have set up a reference system, made all settings, installed apps, etc. Then shutdown the system with Sysprep (generalized). Then set up all other clients with this image. This is all great, but by setting up the Windows client with the "Golden Image", the same password is now available for the local administrator account on every system. Oops!

 

But why should that be a problem? Here is my personal top 3 why this is a bad idea:

1. Employees leave the company knowing these passwords.

2. If all passwords are the same, a lateral pass-to-hash attack is simplified in the event of an infection or attack.

3. If you ever have to give a password to the user (yes, shouldn't happen, but can), then they know the password for all systems.

 

This is where Microsoft Local Administrator Password Solution (LAPS) comes in. Now let's start setting up Microsoft LAPS together. First of all, we need the necessary software. You can download everything you need here:
https://www.microsoft.com/en-us/download/details.aspx?id=46899

_LAPS_01.jpg

 

There are two components in the .msi file I selected. First, the client-side extension (a kind of agent) and the administration components (a small GUI). But we'll look at that a little later.

Now that we have downloaded the "tool". We continue in the Active Directory. First we need to check where the client systems are (in which organizational unit) so that we can later configure them with PowerShell.

_LAPS_02.jpg

 

Now we know where the client systems are. Now let's start with the installation of the management tools. In my test environment I use the DC01 system (this is a domain controller) because I have no other system available. You can also use another server for this.

_LAPS_03.jpg_LAPS_04.jpg

 

As you can see there are several components which can be installed. The default is to install the CSE only. I have customized this selection because I want to install the management tools on this system.

_LAPS_05.jpg_LAPS_06.jpg_LAPS_07.jpg

 

File Reference:
The installation for the Fat client UI is done to folder:
%ProgramFiles%\LAPS
AdmPwd.UI.exe
AdmPwd.Utils.config
AdmPwd.Utils.dll

 

The installation for the PowerShell modules is done to folder:
%WINDIR%\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS
AdmPwd.PS.dll
AdmPwd.PS.format.ps1xml
AdmPwd.PS.psd1
AdmPwd.Utils.config
AdmPwd.Utils.dll
%WINDIR%\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS\en-us
AdmPwd.PS.dll-Help.xml

 

The installation for the Group Policy files is done to folders:
%WINDIR%\PolicyDefinitions
AdmPwd.admx
%WINDIR%\PolicyDefinitions\en-US
AdmPwd.adml

 

Next, we will customize the schema right away on this system using PowerShell. For this I use the PowerShell ISE with elevated privileges. Of course you can use the editor you feel comfortable with. (# are Comments)

 

#Extend the AD Schema
Import-module AdmPwd.PS

Update-AdmPwdADSchema

_LAPS_08.jpg

 

Now we need to adjust the permissions of the computer objects. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password.

 

#Change Computer object permissions
Set-AdmPwdComputerSelfPermission -OrgUnit "Clients"

_LAPS_09.jpg

 

Add the permission (extended right) on the computer accounts to group(s) or user(s) that will be allowed to read (and also the write permissions if you wish) the stored password of the managed local Administrator account on managed computers.

 

#Assign permissions to the group for password access
#The extended permissions are only applied to the Domain Admins group
Find-AdmPwdExtendedRights -Identity "Clients"

 

#We need to grant the read permissions to "ITAdmins" Security group
Set-AdmPwdReadPasswordPermission -Identity "Clients" -AllowedPrincipals prime\ITAdmins

 

#We need to grant the write permissions to "ITAdmins" Security group
Set-AdmPwdResetPasswordPermission -OrgUnit "Clients" -AllowedPrincipals prime\ITAdmins

_LAPS_10.jpg_LAPS_11.jpg

 

#Let's check
Find-AdmPwdExtendedRights -Identity "Clients"

_LAPS_12.jpg

 

Now we move on to the group policies. In my test environment there is a so-called central policy store.

_LAPS_13.jpg

 

Depending on how your environment is set up, you need to make sure that the following files are also available at your end. If you are using a central policy store, copy the following two files to the central policy store. The two files can be found in the following path:

 

%WINDIR%\PolicyDefinitions
AdmPwd.admx
%WINDIR%\PolicyDefinitions\en-US
AdmPwd.adml

_LAPS_14.jpg_LAPS_15.jpg

 

It continues with the creation of a new group policy. Open Group Policy Management and create a new Group Policy object.

_LAPS_16.jpg

 

The settings are located under Computer Configuration\Administrative Templates\LAPS

_LAPS_17.jpg

 

Management of password of local administrator account must be enabled so as the CSE can start managing it.

_LAPS_18.jpg

 

By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days. You can change the values to suit your needs by editing a Group Policy.

_LAPS_19.jpg

 

If you have decided to manage custom local Administrator account, you must specify its name in Group Policy (In my example it is admin).

_LAPS_20.jpg

 

If you do not want to allow setting planning password expiration of admin account for longer time than maximum password age, you can do it in GPO.

_LAPS_21.jpg

 

Now we need to link our new group policy object to the correct "location".

_LAPS_22.jpg

 

Now, before we update the group policies on the client systems, we install the AdmPwd GPO extension on the clients. These can be installed/updated/uninstalled on clients using a variety of methods including the Software Installation feature of Group Policy, SCCM, login script, manual install, etc.

_LAPS_23.jpg

 

If you want to script this you can use this command line to do a silent install:
msiexec /i <file location>\LAPS.x64.msi /quiet

or

Just change the <file location> to a local or network path.
Example: msiexec /i \\server\share\LAPS.x64.msi /quiet

 

Now update the group policies and restart the system out of habit.

_LAPS_24.jpg

 

Now we check if everything works as prepared. In the Active Directory Users and Computer tool, make sure that you have selected the advanced features. Right click on the Computer object and switch to the Attribute Editor tab and lo and behold, the password is displayed here.

_LAPS_25.jpg_LAPS_26.jpg

 

Now let's look at the password in the LAPS graphical tool.

_LAPS_27.jpg

 

Exactly the same password. Great! Works also with the PowerShell.

_LAPS_28.jpg

 

To manually reset the password, just click the Set button in LAPS UI tool. When a Group Policy refresh runs, password will be reset. You can also plan password expiration for the future. To do so, enter desired expiration date/time into respective field.

 

You can also reset the password using PowerShell. For Example:

_LAPS_29.jpg

 

I realize that this was not necessarily spectacular. It was simply important for me to share my experience with you. Nevertheless, I hope that this article was helpful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

2 Replies
Another approach is using Set-LocalUser in the PowerShell as it has been explained on:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/set-localuser
To reset the password and we could add some scripts to get list of all connected devices and add password from a list to each of them.

Thank you @TomWechsler for this tutorial.

 

Good news : the next Version of Windows Server and Client will have LAPS included by default.

 

In addition there is a community solution from the MVP community to leverage LAPS for Intune.

 

If you don't mind Tom, please consider to replace Active Directory Users and Computers by active Directory Administrative Center. It's much more efficient, has improved features and everything you do is logged in PowerShell.

 

I would be glad if you could replace the screenshots and leverage DSAC.

To improve your helpful guidance further, it's possible to distribute the LAPS package via Group Policy customizing the msi package with InstED free.