LAPS

Microsoft LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.

How to Configure Microsoft Local Administrator Password Solution (LAPS)

  1. Download and Install LAPS via policies on every of your Server/Client Devices
    • msiexec.exe /i %~dp0LAPS.x64.msi CUSTOMADMINNAME=loc-admin /Qb- /L*V "c:\temp\laps_install.log"
  2. Install LAPS Management Features (part of the LAPS Package) on the managing Server(DC)
  3. Install LAPS admx files from the package and copy it to policydefinitions Update Active Directory Schema
    • Import-module AdmPwd.PS
    • Update-AdmPwdADSchema

After Schema Update two new attributes come up:

Attributes

  1. To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:

    • Launch PowerShell as Domain Administrator
    • Run command:
      Set-AdmPwdComputerSelfPermission -Identity "C=domain,DC=local"

  2. Create a GPO based on LAPS GPO-Template. As a pattern you can use the following settings:

CAA

If you want, modify the password rules and link the policy to the Domain(root)(except Domaincontrollers)
Be aware not to apply the policy to DomainControllers!
ADD DomainControllers under Advanced settings and set Read Attribute to "Deny".

LAPS Overview

Read Deny