Installing LAPS

7 January 2020 Off By Rached CHADER
Contenus masquer
1 Installing LAPS
2 Update of the active directory schema:
3 Configure the required permissions:
4 Deploy LAPS on client machines via GPO:
5 Installing the LAPS client
6 How to recover local password

Installing LAPS

  • Download Local Administrator Password Solution Link
  • Setup :

Update of the active directory schema:

1
2
3
import-module admPwd.PS

Update-AdmPwdADSchema

 

Configure the required permissions:

Before starting, it is important to verify that no unauthorized account already has the right to confidential attributes.
So, you must check in the security settings of the OU in question that the option “All rights extended” (Extended rights) is unchecked on unauthorized users:

  • Launch the command below, to give the right to each machine to reset the password of the local administrator account:
1
Set-AdmPwdComputerSelfPermission -OrgUnit LAPS

 

  • Launch the command below to authorize a group to read the passwords of machines under the OU named LAPS
1
Set-AdmPwdReadPasswordPermission -OrgUnit LAPS -AllowedPrincipals "Domain Admins" | ft Name, DistinguishedName, Status

 

  • Launch the command below to authorize a group to reset the password:
1
Set-AdmPwdResetPasswordPermission -OrgUnit LAPS -AllowedPrincipals "Domain Admins"

 

  • Launch the command below to check who has the right to confidential attributes:
1
Find-AdmPwdExtendedRights -Identity LAPS | Format-Table ExtendedRightHolders

Deploy LAPS on client machines via GPO:

  • Passoword settings: This parameter activates the complexity, defines the length and the lifetime of the password.
  • Name of administrator account to manage: To manage another account via LAPS, it is possible to specify it in this option. Otherwise, the administrator account with SID-500 created by default will be managed via LAPS.
  • Do not allow password expiration time than required by policy: This setting does not allow an expired password to the value already set via GPO.
  • Enable local admin password management: This setting enables or disables LAPS.

 

Installing the LAPS client

There are several solutions for deploying the client on LAPS on the workstations:

  • Manual installation.
  • Installation by a deployment tool.
  • Installation by GPO.
  • Script installation

 

We will take the installation via GPO:

  • Create a GPO and give it a name
  • Go inComputer Configuration => Policies => Software Settings
  • Right-click on Software installation and click on New => Package
  • Browse the path where the file is located, select the LAPS software.Choose the deployment method as Assigned and click OK.”The installable must be accessible from the network”

How to recover local password

  • Via the attribute editor:
  • Via LAPS GUI in admin mode:

Visits: 4251

CategoryActive Directory Security Servers System administration Windows 2012 Windows 2016 Windows 2019
TagsLAPS