Overview
Local Administrator Password Solution (LAPS) is a way of storing passwords inside of Active Directory. Domain admins are given access and control over who can view this information ensuring that only authorized users can gain access to passwords stored in the AD. LAPS is a Microsoft product (so no additional downloading is required) and can be implemented very quickly inside of an environment. It also provides several security features that are key to its success that puts it above other password management solutions, these features being
- Randomization of local admin passwords
- Ability to store other secret information of a company within its existing AD
- Access control and ACL permissions
- Sending of passwords over encrypted lines
Pre-Reqs
Active Directory:
- Windows 2003 SP1 and above
- Managed/Client machines:
- Windows Server 2016
- x86 or x64
- Windows Server 2012 R2 Datacenter
- Windows Server 2012 R2 Standard
- Windows Server 2012 R2 Essentials
- Windows Server 2012 R2 Foundation
- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows Server 2012 Datacenter
- Windows Server 2012 Standard
- Windows Server 2012 Essentials
- Windows Server 2012 Foundation
- Windows 8 Enterprise
- Windows 8 Pro
- Windows Server 2008 R2 Service Pack 1
- Windows 7 Service Pack 1
- Windows Server 2008 Service Pack 2
- Windows Vista Service Pack 2
- Microsoft Windows Server 2003 Service Pack 2
- Itanium NOT supported
Management tools:
- .NET Framework 4.0
- PowerShell 2.0 or above
Setting up
Being a Microsoft product, the setup is easy and attaches naturally to an already existing Active Directory solution.
The first step in the process would be to download the GPO Client-Side Extension from MSFT. The link can be found at the bottom of the document in Cited Sources. This is an MSI file that will be used to install LAPS on the management computers as well as the client computers.
The second step is to expand the schema of an already existing Active Directory.
And finally, the last step is the Group policy configuration
Domain Controller Setup
To begin setting up LAPS on a domain controller begin by selecting the MSI that was downloaded from the Microsoft Download Center. This will take you through a wizard that will help with the installation.
On the custom setup screen please select all the features to be installed on the computer, you will need all of them to fully take advantage of LAPS.
After all the features are installed on the DC you will then distribute the tool out to all the client machines that you will need to be a part of this solution. This will be covered in the Client Computers section of the document. The client computers will use the same msi that was used to install LAPS on the DC.
Next you will need to import the module for PowerShell into the DC. The two commands we want to run from and administrative level PowerShell window are:
Import-Module ADMPwd.PS
Update-AdmPwdADSchema
This will port over a few new objects into your AD schema. You will next need to set the client computers you would like to be a part of this solution as being able to write back to the AD object for LAPS. It is recommended to have your client computers you will deploy this to inside of their own OU. This update is also done through PowerShell, the command is:
Set-AdmPwdComputerSelfPersmission -OrgUnit ‘[target OU]’
If the update is successful than you should see the “status” come up as “delegated”.
To find who has permissions to view local admin passwords use the command:
Find-AdmPwdExtendedRights -Identity ‘[target OU]’
To add additional users to be able to view the local admin password use the command below (it is recommended to set this on groups of admins instead of individual user accounts):
Set-AdmPwdComputerPersmission -OrgUnit ‘[target OU]’ -AllowedPrincipals [Group 1], [Group 2], [etc..]
If the update is successful than you should see the “status” come up as “delegated”.
Client Computers
First you will want to push the software to the client computers that you want the password management on. It is most easily done through GPO to an OU of computers. It is recommended to do this through creating a shared folder on the DC or network drive, granting the client-side computers read access to that folder, and placing the same MSI file that we used to install the software on the DC to the folder.
Second, we will create the GPO that will push the software to the client computers. Open Group Policy Management on the DC select the domain that you are working with and create a new policy for deploying LAPS. Select to edit the policy, browse to computer configuration -> Policies -> Software Settings -> Software installation
Select new -> package to deploy inside of the editor. This will open a file dialog box, browse to where the shared file is that we created in the prior step and add it to this installation. You will be prompted with a box that will ask you how you want to deploy the software, select “Advanced”.
In the new menu select the “Deployment” tab and check the box that says to uninstall when project falls out of scope.
Under the “Security” tab be sure to grant the Client computers read permissions to the software.
Saver the policy and deploy it to the client computers.
The last thing that you will need to set up for the client computers will be another GPO that manipulates the LAPS settings for those computers. Just as before browse to the Group Policy Management on the DC. This policy will be linked to the OU for the group that we are working with. Right click on the OU that contains the target computers and select “Create a GPO in this domain, and Link it here”. Once the policy is created, right click on it and select “edit”. Browse to Computer configuration -> policies -> Administrative Templets -> LAPS.
There will be four settings in this file. The two we need to worry about are “Enable local admin password management” and “Password Settings”. Inside of the first setting mentioned simply select “Enabled” on the left-hand radio button. On the next setting mentioned also select “Enabled”. If there are any password requirements that are needed they can be modified in the bottom left hand box.
Using LAPS
Using LAPS is very simple and easy. On a machine with access to read the password, open an administrative level PowerShell. Run this command:
Get-AdmPwdPassword -ComputerName [Target Computer]
This will display the computers password back in PowerShell. Alternatively, there is a GUI client that we installed in the beginning of this. To use the GUI browse to ProgramFiles -> LAPS -> AdmPwd.UI. This will open the GUI as shown below:
From here we can search for the target computer as well as change expiration dates for passwords if needed.
Cited Sources
Microsoft LAPS Client Side Extension Download Link
https://www.microsoft.com/en-us/download/details.aspx?id=46899