Overview of Microsoft LAPS (Local Administrator Password Solution)

*After you’ve downloaded and deployed LAPS, the team at Recast Software created a nifty dashboard for you to monitor your LAPS “health” – bringing visibility to overlooked security necessities. This is included in the Enterprise version of the Right Click Tools.

Why I like the LAPS dashboard is because I’m already in the CM Console every day, so to have a dashboard for LAPS, to keep it visible and at the front of our minds, I find this highly useful. It only takes a few seconds to pull it up, check my stats, and move on.  If I find an anomaly, I can start looking into it. Learn more about the LAPS Dashboard. 

“The Local Administrator Password Solution (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.” – Microsoft.   Basically, it reduces the risk of having a default (backdoor perhaps) local administrator & default password on your machines by having each machine use a different complex password for the account.  Before LAPS, most organizations had a generic local admin ex: ORG_LocalAdmin, with the same password on each machine ex: ORG_P@ssword.  Problem with that is, if a machine was compromised, the malware / hacker could move laterally among all your machines gathering more and more data to deepen the security breach.  With LAPS implemented, you remove that attach vector, if one machine is compromised, the ability to move laterally to another machine is greatly reduced.

There are quite a few guides out there, and the Microsoft Docs are pretty good too. I didn’t do extensive searching before creating this post, so note that this may be redundant.

In this walk-through, we’ll cover:

  • Downloading LAPS
  • Create Source Folders
  • Create End Point Installer Application
  • Deploy LAPS Application to End Points
  • Extend AD Schema (From Domain Controller)
  • Setup LAPS AD Groups and Permissions
  • Manually Install LAPS Admin Client
  • Verify Permissions and Read / Reset Access
  • Basic Enable of Group Policy
  • Tests to confirm Permissions are working

Things we’re not covering:

  • The “Why’s” behind each step. Much of the details and reasons why you have to perform these steps are already documented well in the Microsoft “LAPS_OperationGuide” which is part of the download, and quite honestly, that’s what I’m using as I create this Walk Through, so I suggest you look over that before you even start.
  • Every Deployment Scenario. This is a generic and SIMPLE Lab, while much of this is the same for any environment, each environment is different, each organization is setup differently.  LAPS setup will probably require multiple teams involvement (AD / CM / Deployments / GPO)

Things to Consider beforehand:

  • Active Directory Structure (OUs with Workstations)
  • Who will have Rights to READ the LAPS Password
  • Who will have Rights to RESET the LAPS Password

Client Deployment:

Download LAPS Client & Docs from Microsoft:  https://www.microsoft.com/en-us/download/details.aspx?id=46899

Client deployment LAPS
LAPS Installer

I’ve downloaded all of the Files into a “LAPS” directory then created a new folder to move the MSI Files into.

In the CM Console, Create a new Application.  Point it to the x64 version of the MSI

Specify settings for this application

Once you choose the MSI can Next, it will pull the information for the Application from the MSI

Application information

As you click Next, you’ll come to General Information, I added “Microsoft” as publisher, and changed /q to /qn

At this point, just click Next, leaving the defaults until it completes and you click Close.  You’ll now have the Local Administrator Password Solution application in your console.  We just need to make a couple tweaks.  In the Properties of the application, click on Deployment Types Tab, choose the Deployment and click Edit, go into Requirements an add the x64 for versions of Windows in your Environment.

LAPS properties

At this point, we have the App, lets get it deployed to the workstations.  Since you’ve added the logic into the app, you can safely deploy it to your all workstations. NOTE, this is when knowing your environment, you deploy to the appropriate collection. Perhaps you have a business reason to not deploy it to all workstations.  Just use best practices for deployments (Maintenance windows, etc).  Rest of this example is just generic.

Fill in software and collection fields
Specify settings to control how this software is deployed

I left Scheduling set to defaults, User Experience , Alerts all defaults

Confirm the settings for this new deployment

Infrastructure Setup:

Admin Client / LAPS Management Client

So now that the Client is being deployed, lets get the infrastructure setup.  First we’ll switch over to a client test machines / or your typical admin workstation.  Lets get the LAPS Client Installed along with the Management Tools. Once you kick off the installer (Double click the MSI), click through the first couple screens to get to the “Custom Setup”, once here Enable all options.

LAPS custom setup

Go ahead and let it install.  We’ll need to grab some of the items it installed and we’ll copy them back out to our source server for easy access.

Go to C:\Windows\PolicyDefinitions, here you will grab the AdmPwd.admx file, and the AdmPwd.adml file from the en-US subfolder.  I created a folder called GPO_ADMX in my source location to copy them to.

Source location

Also, Copy the AdmPwd.PS folder from the PowerShell Modules: C:\Windows\System32\WindowsPowerShell\v1.0\Modules

Copy folder from PowerShell Modules

You’ll need those later.

Now, these steps you can do from your workstation (and should), but to make sure I had connection and rights, I did it from my actual Domain Controller. You’d typically do this from an admin machine with proper credentials, as your DC’s should be CORE and not even have a desktop experience.  You typically never want to actually log onto a DC.  But this is lab, and I’m just making a demo.

Modify the AD Schema

On the Domain Controller, copy the AdmPwd.PS folder you uploaded to your source into the local module repository on your DC, then launch Admin PowerShell Console.  In this image, you can see I tried to Import-Module before I had copied the files onto the DC, after the copy, the command runs correctly:

Modify the AD Schema

Run the command: Update-AdmPwdADSchema:

Run the command

In my lab, you can see it successfully added 2 attributes and modified one class.

Hopefully you considered a few things before starting this Journey, like which OU the workstations are in that you want to apply this to, and who do you want to have permissions?  For my lab, it’s pretty easy, I have 1 Master OU setup for WorkStations, and all other workstations fall into Sub OUs of that Master OU.

Target workstations OU

At this point, it’s nice to check and see who has rights to view that info in AD.  In your PowerShell console, type “Find-AdmPwdExtendedrights -identity <OU Name> | Format-Table

See who has rights to view info in AD

As you can see, rights are pretty clean, I’m ok with those folks having rights to LAPS.

Now, in AD, lets setup a Read & Reset Group, to grant access to LAPS.  I’ve created two groups: LAPS Read Only & LAPS Reset PWD:

Setup a Read & Reset Group

Now we need to grant Machines the ability to update it’s own password, we we grant access to the “SELF built-in account” for all machines in the Workstation OU: Set-AdmPwdComputerSelfPermission -OrgUnit <OU Name>

Grant Machines the ability to update it's own password

Next we need to grant users rights to look up that information, this is where those groups come in.  We’re going to give “LAPS Read Only” rights to Read LAPS Passwords: Set-AdmPwdReadPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals <FQDN Group Name>

We’re going to give “LAPS Reset PWD” rights to Reset LAPS Passwords: Set-AdmPwdReadPasswordPermission -OrgUnit <OU Name> -AllowedPrincipals <FQDN Group Name>

We’re also going to confirm it did something using the Find.. command:

Find Command

Now, in AD, you can nest the groups you want in your LAPS Security Groups to have access:

Nest the groups in your LAPS Security Groups

For my Lab, I have Service Desk Tier 1 & 2 Read only, and Tier 3 can Reset.

Group Policy
You’ll need to copy the ADMX & ADML files you copied to your source folder into your Group Policy Central Store, which can be located here: \\FQDN\SYSVOL\FQDN\policies

Group Policy

Now you can Launch Group Policy and create your LAPS Policy.   For this Demo, I’m going to create a new simple Policy, but you can always add it into one you already have.  The new GPO is set to defaults, except I disable User Policies, as this will all be machine based, no point in having it look for user policies:

Launch Group Policy and create your LAPS Policy

I’ve setup the basic settings to make this work with my lab.  In my lab, I have a local admin account on the computer besides the disabled default, which is named “MyLocalAdmin”, which is the account I want LAPS to manage:

Local admin account example

OK, that’s it, you have it all setup.  Now it’s time to confirm you get the results you wanted

Permission Tests

  • Standard End Users (Should have No Rights)
  • Service Desk Tier 1 (Should have Read Access)
  • Service Desk Tier 3 (Should have Read / Reset Access)

Test 1: Standard User:

Test 1: Standard User

Test 2: Tier 1 Service Desk:

Test 2: Tier 1 Service Desk

Test 3: Tier 3 Service Desk:

Test 3: Tier 3 Service Desk

We learn from this test, Reset Permissions does not include Read. So, unless you have a need for a group to be able to reset this password, and not read it, I’d nest the LAPS Reset PWD group inside of the LAPS Read Only Group

LAPS Read Only Group

Test again:

LAPS Read Only Group test

Now we have the desired results, Tier 3 Support can both Read & Reset the LAPS password.

I hope you found this LAPS overview useful, and hopefully provided additional information not found in other ones.  The main reason I’ve writing this, is for Part 2, configuring Recast Management Server User / Groups to view LAPS Compliance Dashboard in the CM Console.

-By Gary Blok

See how Right Click Tools are changing the way systems are managed.

Immediately boost productivity with our limited, free to use, Community Edition.

Get started with Right Click Tools today:

Share this: