How can we help? 👋

LAPS

Microsoft LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.

Microsoft LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.

How to Configure Microsoft Local Administrator Password Solution (LAPS)

  1. Download and Install LAPS via policies on every of your Server/Client Devices
      • msiexec.exe /i %~dp0LAPS.x64.msi CUSTOMADMINNAME=loc-admin /Qb- /L*V "c:\temp\laps_install.log"
  1. Install LAPS Management Features (part of the LAPS Package) on the managing Server(DC)
  1. Install LAPS admx files from the package and copy it to policydefinitions Update Active Directory Schema
      • Import-module AdmPwd.PS
      • Update-AdmPwdADSchema

After Schema Update two new attributes come up:

 
Notion image
 
  1. To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:
      • Launch PowerShell as Domain Administrator
      • Run command:Set-AdmPwdComputerSelfPermission -Identity "C=domain,DC=local"
  1. Create a GPO based on LAPS GPO-Template. As a pattern you can use the following settings:
 
Notion image
 

If you want, modify the password rules and link the policy to the Domain(root)(except Domaincontrollers)

Be aware not to apply the policy to DomainControllers!

ADD DomainControllers under Advanced settings and set Read Attribute to "Deny".

 
Notion image
Notion image
Did this answer your question?
😞
😐
🤩