Microsoft LAPS is a password manager that uses Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.
- Download and Install LAPS via policies on every of your Server/Client Devices
- msiexec.exe /i %~dp0LAPS.x64.msi CUSTOMADMINNAME=loc-admin /Qb- /L*V "c:\temp\laps_install.log"
- Install LAPS Management Features (part of the LAPS Package) on the managing Server(DC)
- Install LAPS admx files from the package and copy it to policydefinitions Update Active Directory Schema
- Import-module AdmPwd.PS
- Update-AdmPwdADSchema
After Schema Update two new attributes come up:
- To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:
- Launch PowerShell as Domain Administrator
- Run command:Set-AdmPwdComputerSelfPermission -Identity "C=domain,DC=local"
- Create a GPO based on LAPS GPO-Template. As a pattern you can use the following settings:
If you want, modify the password rules and link the policy to the Domain(root)(except Domaincontrollers)
Be aware not to apply the policy to DomainControllers!
ADD DomainControllers under Advanced settings and set Read Attribute to "Deny".
Benefit of using XEOX
XEOX has a function that lets you see your LAPS password, if you have the right role assigned to your user.
With the Verifier in Administration you are able to select the role to let the user see secrets, the LAPS password among other things
Now, if you click on a Hardware in the CMDB you will get an overview of information about your device.
Click on Manage - Show Secrets and there you will find a field that not only lets you enter a key and value, for example a password if you have trouble remembering them or if the password is needed and changed by more people, but you also see your LAPS password, if you have activated LAPS.
