This is part two of a series about Microsoft LAPS. For part one, go here: http://www.windowsmanagementexperts.com/laps-part-1-introduction/laps-part-1-introduction.htm.
In this part, we will go over the installation and configuration of LAPS. We extend the AD Schema to support LAPS, then we will import the Group Policy ADMX file and go over the settings. Finally, we will register the required DLL on a client machine.
To start, install the LAPS MSI with these options:
I recommend preforming this operation from a domain controller.
The AD Schema is extended via the PowerShell module. You must be in the schema admin group to extend the AD schema. First, open PowerShell and load the module:
Next, run the schema extension cmdlet. Make sure that you have schema manager installed (it’s part the AD LDS tools and snap-ins).
Now you have your attributes required for LAPS.
If you have not done so, copy the ADMX and ADML file to PolicyDefinitions folder for your domain. This will allow the GPOs to be modified from any machine with the GPO editor. You’re looking for the files AdmPwd.admx and AdmPwd.adml.
Once imported, the GPO settings are at Computer Configuration > Administrative Templates > LAPS. There are four settings:
For LAPS to work, you need to configure “Password Settings”, “Do not allow password expiration time longer than required by policy”, and “Enable local admin password management”. The fourth setting, “Name of administrator account to manage”, is totally up to you. If you enable this setting, you can use an account different then the local administrator account. More on this later.
For the password settings policy, set it to your organizations password policy. It should not be less secure then your default domain password policy. The “Password age in days” setting defines how often the password is changed.
The “Do not allow password expiration time longer than required by policy” setting should be enabled. Enabling this setting will keep passwords in line with your default domain policy.
Finally, you must enable “Enable local admin password management” for LAPS to take over password management.
“Name of administrator account to manage” Policy
One thing to consider when using this policy – if you simply rename the default administrator account and use that, do NOT configure this policy. The system detects this account based on the well-known administrator SID, not the name. If you rename the local administrator account, the SID does not change.
Enable LAPS on Clients
You have two options for the last step to enabling LAPS on clients. First, you can install the LAPS client MSI on machine with the AdmPwd GPO Extension option. This creates an entry in Programs and Features that could allow a user with administrator rights to actually uninstall it. The second option is to install the AdmPwd GPO Extension on one computer and copy the “AdmPwd.dll” file to all machines and register the dll. This file can be found in %ProgramFiles%\LAPS\CSE I recommend this option. This dll is installed with the client MSI. To register the dll, run this command:
Once the dll is registered, the GPO will take over and begin managing the password.