- Download LAPS from Microsoft official site by following the link<\/a><\/li>
- Create the following groups:
- LAPS Exception Servers<\/strong> \u2013 LAPS policy will not be applied on group members.<\/li>
- View Servers Admin Password<\/strong> \u2013 group members have the right to view local administrator password of servers.<\/li>
- View Client Admin Password<\/strong> \u2013 group members have the right to view local administrator password of workstations.<\/li>
- Reset Server Admin Password \u2013 <\/strong>group members have the right to reset local administrator password of servers.<\/li>
- Reset Client Admin Password \u2013 <\/strong>group members have the right to reset local administrator password of workstations.<\/li><\/ul><\/li>
- Store \u201cLAPS.x64.msi\u201d, \u201cLAPS.x86.msi\u201d files in shared folder and make sure that it is accessible from all domain machines.<\/li><\/ul>\n\n\n\n
\n\n\n\n2. Install LAPS on Management Machine:<\/h5>\n\n\n\n
- Locate LAPS file you just downloaded and run it.<\/li><\/ul>\n\n\n\n
![\"laps01\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/laps011.jpg?resize=499%2C389\")
<\/figure><\/div>\n\n\n![\"laps02\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/laps021.jpg?resize=499%2C389\")
<\/figure><\/div>\n\n\n![\"laps03\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/laps031.jpg?resize=499%2C389\")
<\/figure><\/div>\n\n\n![\"laps04\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/laps041.jpg?resize=499%2C389\")
<\/figure><\/div>\n\n\n![\"laps05\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/laps051.jpg?resize=499%2C389\")
<\/figure><\/div>\n\n\n
Click Next<\/strong>.
Accept the license and then click Next.<\/strong>
Choose all components and click Next.<\/strong>
Click Install <\/strong>(accept UAC<\/strong> if appeared).
Click Finish.<\/strong><\/p>\n\n\n\n3. Creating Group Policy Object to install LAPS on domain machines:<\/h5>\n\n\n\n
- Create new GPO and add both x86, x64 LAPS packages:<\/li><\/ul>\n\n\n\n
![\"gpo01\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/gpo01.jpg?resize=801%2C351\")
<\/figure><\/div>\n\n\n![\"gpo03\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/gpo03.jpg?resize=676%2C355\")
<\/figure><\/div>\n\n\n![\"gpo04\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/gpo04.jpg?resize=414%2C462\")
<\/figure><\/div>\n\n\n![\"gpo05\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/gpo05.jpg?resize=406%2C408\")
<\/figure><\/div>\n\n\n
go to Computer Configuration\u2013> Policies\u2013> Software Settings\u2013> Software installation\u2013> right click\u2013> new\u2013> Package\u2026<\/strong>
Add both x64 and x86 packages as shown above from shared folder that created in preparation procedure.
To configure x86 to install only on 32-bit machines:
Choose LAPS x86 package \u2013> right click\u2013> properties\u2013> open Deployment<\/strong> tab then click Advanced<\/strong> button.
Remove \u201cMake this 32-bit X86 application available to Win64 machines\u201d check.<\/p>\n\n\n\n- Link GPO you just created to the needed OU or to the root domain.<\/li><\/ul>\n\n\n\n
![\"gpo07\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/gpo071.jpg?resize=551%2C424\")
<\/figure><\/div>\n\n\n![\"gpo08\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/gpo081.jpg?resize=377%2C457\")
<\/figure><\/div>\n\n\n![\"gpo06\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/gpo06.jpg?resize=514%2C70\")
<\/figure><\/div>\n\n\nNote:<\/em><\/strong> you can exclude specific computers (like: Domain Controllers) from LAPS GPO by choosing GPO and doing the following:
Go to Delegation<\/strong> tab.
To exclude specific servers from installing LAPS on them, add \u201cLAPS Exception Servers\u201d group that created in preparation section above \u2013> and deny Read, Apply group policy<\/strong> permissions.
i.e. GPO will apply by installing LAPS once client machine boot up.
i.e. To verify that LAPS installed successfully on client machine, open Program and Features<\/strong>:<\/p>\n\n\n\n
\n\n\n\n3. Extending AD Schema:<\/strong><\/h5>\n\n\n\n
- Run the below commands:<\/li><\/ul>\n\n\n\n
Import-Module AdmPwd.PS\nUpdate-AdmPwsADSchema<\/em><\/strong><\/pre>\n\n\n\n
i.e. above command must be run on schema maser role domain controller by user who is located in \u201cSchema Admins\u201d<\/strong> group.
Note:<\/strong><\/em> After extending schema, the below attributes will be added:
ms-MCS-AdmPwd \u2013 \u201cstores the password itself\u201d.
ms-MCS-AdmPwdExpirationTime \u2013 \u201cstores password expiration\u201d.<\/p>\n\n\n\n
\n\n\n\n4. Removing Extended Rights:<\/strong><\/h5>\n\n\n
\n![\"gpo09\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/gpo09.jpg?resize=407%2C600\")
<\/figure><\/div>\n\n\nBy default all users have the right to read any Active Directory object\u2019s properties including \u2018ms-MCS-AdmPwd\u2019 attribute which has local administrator password.
So you have to deny users from read \u201cAll extended rights\u201d on the needed OUs as below:
Open Active Directory Users and Computers<\/strong> \u2013> View <\/strong>\u2013> Advanced Features<\/strong>\u2013> Choose the needed OU that contains domain machines (Usually its Computer<\/strong> container) \u2013> right click\u2013> Security<\/strong> tab\u2013> Advanced<\/strong> \u2013> choose the user who has the permission\u2013> Edit<\/strong>, then Remove \u201cAll extended rights\u201d check \u2013> Ok <\/strong>\u2013> Apply<\/strong> \u2013> Ok.<\/strong>
Note:<\/em> To view who has \u201cExtended Right\u201d permission on a specific OU run the command:<\/p>\n\n\n\nImport-Module AdmPwd.PS<\/em><\/strong>\nFind-AdmPwdExtendedrights -identity <OUName> | Format-Table ExtendedRightHolders<\/strong><\/em><\/pre>\n\n\n\n
\n\n\n\n5. Adding machine rights:<\/strong><\/h5>\n\n\n\n
- To make computers able to change their local administrator passwords. Thus, write permission must be granted to SELF<\/strong> built-in account on both ms-Mcs-AdmPwd<\/strong>, ms-Mcs-AdmPwdExpirationTime <\/strong>attributes. So computer will have the permission to change its local administrator password only. This can be done by running the command:<\/li><\/ul>\n\n\n\n
Set-AdmPwdComputerSelfPermission -OrgUnit <OUName><\/strong><\/em><\/pre>\n\n\n\n
Note:<\/em> This command must be run on all OUs that contain computer accounts you want to apply LAPS on.
Note:<\/em> You can grant all computers the right to change their administrator passwords on all OUs in the organization by running the command:<\/p>\n\n\n\nGet-ADOrganizationalUnit -Filter * | Set-AdmPwdComputerSelfPermission<\/strong><\/em><\/pre>\n\n\n\n
\n\n\n\n6. Adding User rights:<\/strong><\/h5>\n\n\n\n
- In this step we will grant users (e.g. helpdesk users) the right to view local administrator password of LAPS applied policy.<\/li><\/ul>\n\n\n\n
Run the below command to grant \u201cView Servers Admin Password<\/strong>\u201d members read local admin password right of server computers:<\/p>\n\n\n\n
Set-AdmPwdReadPasswordPermission -OrgUnit <OUName> -AllowedPrincipals \"View Servers Admin Password\"<\/strong><\/em><\/pre>\n\n\n\n
Run the below command to grant \u201cView Client Admin Password<\/strong>\u201d members read local admin password right of client computers:<\/p>\n\n\n\n
Set-AdmPwdReadPasswordPermission -OrgUnit <OUName> -AllowedPrincipals \"View Client Admin Password\"<\/strong><\/em><\/pre>\n\n\n\n
Grant specific users reset password permission<\/strong> so they can change local admin password for both Servers and Client machines, by running the commands:<\/p>\n\n\n\n
Set-AdmPwdResetPasswordPermission -OrgUnit <OUName> -AllowedPrincipals \"Reset Server Admin Password\"<\/strong><\/em>\nSet-AdmPwdResetPasswordPermission -OrgUnit <OUName> -AllowedPrincipals \"Reset Client Admin Password\"<\/strong><\/em><\/pre>\n\n\n\n
Additionally, we need to enable auditing for all users in case of read or reset local admin password, by running the command:<\/p>\n\n\n\n
Set-AdmPwdAuditing -OrgUnit <OUName> -AuditedPrincipals \"Authenticated Users\"<\/strong><\/em>\n<\/pre>\n\n\n\n
Note:<\/em> <\/strong>when password successfully read, 4662 event id will be logged on DC security logs.<\/p>\n\n\n\n
\n\n\n\n7. Configuring LAPS Group Policy:<\/strong><\/h5>\n\n\n\n
Let\u2019s configure LAPS settings by using Group Policy by following the below steps:<\/p>\n\n\n\n
- Open LAPS GPO and locate the path Computer Configuration<\/strong>\u2013> Administrative Templates<\/strong>\u2013> LAPS.<\/strong><\/li><\/ul>\n\n\n\n
![\"lapsgp01\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp011.jpg?resize=757%2C478\")
<\/figure><\/div>\n\n\n- Enable Enable local admin password management <\/strong>setting:<\/li><\/ul>\n\n\n\n
![\"lapsgp02\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp02.jpg?resize=700%2C401\")
<\/figure><\/div>\n\n\n- Configure Password Settings<\/strong> as below:
- Password Complexity: <\/strong>Large letter + small letters + numbers + specials<\/li>
- Password Length: <\/strong>14<\/li>
- Password Age (Days): <\/strong>30<\/li><\/ul><\/li><\/ul>\n\n\n
\n![\"lapsgp03\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp03.jpg?resize=700%2C518\")
<\/figure><\/div>\n\n\n- Enable Do not allow password expiration time longer than required by policy:<\/strong><\/li><\/ul>\n\n\n\n
![\"lapsgp05\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp05.jpg?resize=700%2C425\")
<\/figure><\/div>\n\n\n- Additional setting, if you are change the local administrator name to another name different than the default one which is Administrator. Type the local admin name you are configuring on domain machines in Name of administrator account to manage<\/strong> setting:<\/li><\/ul>\n\n\n\n
![\"lapsgp04\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp04.jpg?resize=700%2C398\")
<\/figure><\/div>\n\n\n
\n\n\n\n4. Additional step, Rename Local Administrator by using Group Policy:<\/strong><\/h5>\n\n\n\n
I prefer to change the default local administrator name from security perspective, by following the below steps:<\/p>\n\n\n\n
- Create new GPO and edit it by following the path Computer Configuration<\/strong>\u2013> Policies<\/strong>\u2013> Windows Settings<\/strong>\u2013> Security Settings<\/strong>\u2013> Local Policies<\/strong>\u2013> Security Options<\/strong>\u2013> open the settings Accounts: Rename administrator account<\/strong>.<\/li><\/ul>\n\n\n\n
![\"lapsgp06\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp061.jpg?resize=757%2C478\")
<\/figure><\/div>\n\n\n- Type the new local administrator name you need (e.g. LocalAdmin):<\/li><\/ul>\n\n\n\n
![\"lapsgp07\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp07.jpg?resize=431%2C187\")
<\/figure><\/div>\n\n\n
\n\n\n\n8. Viewing local admin password:.<\/h5>\n\n\n\n
To view Local Admin password you have the below three options:<\/p>\n\n\n\n
- From Active Directory Users and Computers, locate computer account, then view ms-Mcs-AdmPwd<\/strong> attribute:<\/li><\/ul>\n\n\n\n
![\"lapsgp08\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp08.jpg?resize=336%2C32\")
<\/figure><\/div>\n\n\n- From LAPS UI Tool, type the computer name then search button:<\/li><\/ul>\n\n\n\n
![\"lapsgp09\"](\"https:\/\/mohdzmaili.files.wordpress.com\/2016\/12\/lapsgp09.jpg?resize=395%2C310\")
<\/figure><\/div>\n\n\n- By running one of the below power shell commands:<\/li><\/ul>\n\n\n\n
Get-AdmPwdPassword -ComputerName <ComputerName>\nGet-ADComputer <ComputerName> -Properties ms-Mcs-AdmPwd | select name, <\/strong><\/em>ms-Mcs-AdmPwd\n<\/strong><\/em><\/pre>\n\n\n\n
Note:<\/em> To reset local admin password on specific machine, run the below power shell command:<\/p>\n\n\n\n
Reset-AdmPwdPassword -ComputerName <ComputerName> -WhenEffective <DateTime><\/strong><\/em>\n\nRef: https:\/\/azureera.com\/local-administrator-password-solution-laps\/#:~:text=Local%20Administrator%20Password%20Solution%20(LAPS)%201%201.%20Preparing,...%207%207.%20Configuring%20LAPS%20Group%20Policy%3A<\/pre>\n","protected":false},"excerpt":{"rendered":"Local Administrator Password Solution (LAPS) is a new tool that gives the power to manage local Administrator accounts passwords (RID-500).The most important benefit of deploying LAPS is to mitigate Pass-the-Hash (PtH) credential attack. By configuring LAPS, Local Administrator on each machine will have its own (unique) complex password. This password changes randomly as per LAPS configuration Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10,14,15],"tags":[1390,1389],"class_list":["post-4445","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-windows-7-8-10","category-windows-servers","tag-microsoft-laps","tag-microsoft-local-administrator-password-solution-laps"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4445","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4445"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4445\/revisions"}],"predecessor-version":[{"id":4446,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4445\/revisions\/4446"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- By running one of the below power shell commands:<\/li><\/ul>\n\n\n\n
- From LAPS UI Tool, type the computer name then search button:<\/li><\/ul>\n\n\n
- From Active Directory Users and Computers, locate computer account, then view ms-Mcs-AdmPwd<\/strong> attribute:<\/li><\/ul>\n\n\n
- Type the new local administrator name you need (e.g. LocalAdmin):<\/li><\/ul>\n\n\n
- Create new GPO and edit it by following the path Computer Configuration<\/strong>\u2013> Policies<\/strong>\u2013> Windows Settings<\/strong>\u2013> Security Settings<\/strong>\u2013> Local Policies<\/strong>\u2013> Security Options<\/strong>\u2013> open the settings Accounts: Rename administrator account<\/strong>.<\/li><\/ul>\n\n\n
- Additional setting, if you are change the local administrator name to another name different than the default one which is Administrator. Type the local admin name you are configuring on domain machines in Name of administrator account to manage<\/strong> setting:<\/li><\/ul>\n\n\n
- Password Length: <\/strong>14<\/li>
- Password Complexity: <\/strong>Large letter + small letters + numbers + specials<\/li>
- Configure Password Settings<\/strong> as below:
- Enable Enable local admin password management <\/strong>setting:<\/li><\/ul>\n\n\n
- Open LAPS GPO and locate the path Computer Configuration<\/strong>\u2013> Administrative Templates<\/strong>\u2013> LAPS.<\/strong><\/li><\/ul>\n\n\n
- In this step we will grant users (e.g. helpdesk users) the right to view local administrator password of LAPS applied policy.<\/li><\/ul>\n\n\n\n
- To make computers able to change their local administrator passwords. Thus, write permission must be granted to SELF<\/strong> built-in account on both ms-Mcs-AdmPwd<\/strong>, ms-Mcs-AdmPwdExpirationTime <\/strong>attributes. So computer will have the permission to change its local administrator password only. This can be done by running the command:<\/li><\/ul>\n\n\n\n
- Run the below commands:<\/li><\/ul>\n\n\n\n
- Link GPO you just created to the needed OU or to the root domain.<\/li><\/ul>\n\n\n
- Create new GPO and add both x86, x64 LAPS packages:<\/li><\/ul>\n\n\n
- View Servers Admin Password<\/strong> \u2013 group members have the right to view local administrator password of servers.<\/li>
- Create the following groups: