Microsoft LAPS deployment tutorial
Don’t let your network become a victim of the next crypto/worm
Automation has it’s benefits, quick, steady, reliable, known output. But it also allows the same security issue to pop again and again in your network. Yes, I’m talking about that golden image either deployed from your hypervisor template or purely relies on internal procedures to allow the same administrator password to all machines.
LAPS, the “Local Administrator Password Solution” allows sysadmins to centrally manage local administrator accounts on domain joined computers. Passwords are stored in Active Directory (AD) and protected by an ACL, allowing access only to eligible users, allowing the later to view or reset it.
Lets start deploying:
- Download the MSI file from here.
- Set a file share on your DC or file server. Set the share with Read permissions to Everyone (or use a dedicated group).
- On the hosted server, change the NTFS permissions as well, allowing Everyone (or the desired group) with Read only permissions.
- Login to one of your DCs. Add you user to the Schema Admin group.
- Install the downloaded MSI on your DC, include all options:
6. Verify that AdmPwd.admx is located in:
and that AdmPwd.asml is located in:
7. Extend the Schema: open a PowerShell with Administrator permissions. run the following code snippet:
See exampled output:
8. As described in the prolog, the solution is ACL protected.
a. One has to decide which OUs should be included:
Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions or full CN path>
Repeat to all OUs with computer accounts
b. What Security Groups would be allowed to decipher the password:
Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>
c. You can verify the above steps with:
find-admpwdextendedrights -identity "Comps"
9. Create the GPO in the group policy management editor (gpmc.msc), name it LAPS. Edit it and add the following:
a. Disable UAC: Computer Configuration > Preferences > Windows Settings > Registry. New ‘Registry Item’. Browse to this path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Choose EnableLUA and change it’s value data to 0.
b. Computer Configuration > Policies > Administrative Templates > LAPS > Password Settings > Enabled (set the length and days per your need)
c. Computer Configuration > Policies > Administrative Templates > LAPS > Password Settings >Enable local admin password management
d. Distribute the package: Computer Configuration > Policies > Software Settings > Software installation > new > package…
choose the path from step 2, i.e.:
Link the GPO to the appropriate OU (aligned with the OU from step 8a)
10. Change the security permissions of the OU to allow your self with read permissions to the new passwords:
Browse to the appropriate OU > Properties > Security > Advanced. Double click on the group from section 8b. Choose Read ms-Mcs-AdmPwd & Write ms-Mcs-AdmPwd
11. The final result in the deployed machine should note in Programs and Features as follows:
- You’ll need to wait till the next cycle of the GPO to kick in before the password will actually change.
- Deciphering the password can be done via:
Import-Module AdmPwd.PSGet-AdmPwdPassword -ComputerName “name”
b. LAPS UI (run the MSI on your machine, but solely choose the Fat client UI option. Run the UI as Administrator.
3. If SCCM is deployed in your network you can create a collection for deployment instead of the software installation GPO mentioned above.
4. If the client still isn’t deploying, you should consider adding the following to the GPO:
- Computer Configuration > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon = Enable
- Computer Configuration > Administrative Templates > System > Group Policy > Specify startup policy processing wait time = 90 (or any other number you find suitable)