How to Setup and Deploy LAPS | Local Administrator Password Solution

LAPS provides a way to automatically rotate the local Administrator password on domain joined machines every X amount of days to a random password.

I’ll be installing it on one of my domain controllers.

Download LAPS and Install.

Download LAPS and be sure to install all the management tools also.

https://www.microsoft.com/en-us/download/details.aspx?id=46899

Install with all the management tools

Extend the AD Schema

Open up PowerShell (run as admin) and run the following:

Import-module AdmPwd.PS
Update-AdmPwdADSchema
Running the import and update schema commands

Provide AD Directory and Groups with permissions for read/reset

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=YOURPATHHERE"

Now if you haven’t already create a security group that you’ll allow to change the local machine passwords. I’ve created one called LAPS.

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=" -AllowedPrincipals "LAPS"

Now lets provide reset permission.

Set-AdmPwdResetPasswordPermission -OrgUnit "OU=" -AllowedPrincipals "LAPS"

Create the Group Policy

Created your new GPO and deploy it to a test OU! Always make sure it works before deploying to production.

Expand Computer Configuration > Policies > Administrative Templates > LAPS

Note if you don’t see LAPS listed you most likely need to copy the admx and adml templates from your local machine to your store.

AdmPwd.admx from %windir%\PolicyDefinitions\ > \domain\SYSVOL\domain\Policies\PolicyDefinitions

AdmPwd.adml from %windir%\PolicyDefinitions\en-US > domain\SYSVOL\domain\Policies\PolicyDefinitions\en-US

Now lets enabled the policy settings. Adjust these that work for your environment

  • Password Settings – Enabled
  • Name of administrator account to manage – Not Configured (leave this as it will use the local admin account)
  • Do no allow password expiration time longer than required by policy – Enabled
  • Enable local admin password management – Enabled

Deploy it to your test OU.

Deploy LAPS to clients

There are multiple ways to do this. You can use group policy, SCCM, PDQ, or any other application too. I chose to deploy with PDQ.

Just create a new package, point it to the .msi and your done!

LAPS Deployment via PDQ Deploy

I also created a dynamic group in PDQ Inventory to list all the client machines without LAPS installed. Then deployed my package to it.

  • Filter – Not Any
  • Filter – Application
  • Column – Name
  • Comparison – Contains
  • Value – Local Administrator Password Solution
Dynamic Group for clients missing LAPS install

Test It

Gpupdate /force on one of your test machines.

Open up “LAPS UI” and search for your test computer.

If it worked you should be seeing the new password and expiration date.

LAPS UI

Once tested deploy it to your organization!

I found this handy script from diychris.com to pull a list of machines that has LAPS by the AD attribute. Open up powershell ISE on your DC and run it:

$computers = Get-ADComputer -Filter 'operatingsystem -notlike "*server*" -and enabled -eq "true"' -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address,ms-Mcs-AdmPwd
$lapsinstalledcount = 0
Write-Host "`r`nTotal Number of PC's "$computers.count
foreach ($computer in $computers) {
    if(Get-Member -inputobject $computer -name "ms-Mcs-AdmPwd" -MemberType Properties) {
        Sort-Object -InputObject $computer -Property Operatingsystem |
        Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address
        $lapsinstalledcount++
    }
}
Write-Host "Number of PC's with LAPS installed " $lapsinstalledcount "`r`n" 
Result of powershell

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top