In this blog post, I will show you how to install and configure Local Administrator Password Solutions (LAPS) on Windows Server 2019 Active Directory infrastructure.
About LAPS
LAPS is a free solution from Microsoft that allows us to rotate and change the local user accounts password on domain-joined Active Directory machines.
Client configuration
LAPS is working by installing the LAPS client on each machine you would like to manage the local password.
Server Configuration
On the server-side, we need to install LAPS tools that include the following:
- GPO templates
- PowerShell modules
- LAPS Client UI
- Download
To get started, go ahead and download the LAPS tools and client from the link below.
https://www.microsoft.com/en-us/download/details.aspx?id=46899
Install on Server
In my case, I am going to install LAPS on a management server and not on my domain controller, which is a Server Core.
Update Active Directory Schema
After installing the LAPS tools on my management machine, I will update the schema using the following cmdlets.
Import-module AdmPwd.PS
Update-AdmPwdADSchema
Copy LAPS Group Policy Templates
After installing the GPO templates, the wizard will place them in the following location.
C:\Windows\PolicyDefinitions
These files need to be copied to the Policy Definition store on your local DC or to the central store if y you use one.
Create GPO
After copying the template, let’s open GPMC and create a Group Policy for LAPS.
If you expand the Polices -> Computer configuration -> Administrative templates -> LAPS you will see the polices for LAPS.
In my case, I will use the following settings:
Password Settings – This is where we control the password settings.
Name of the administrator account to manage – In this settings, I will select Administrator.
Apply Configuration
The last configuration step involves settings the LAPS permissions on the OU you need LAPS to control password.
In my case the OU name is MGMT, and you can see the full path.
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=MGMT,OU=SERVERS,DC=CORP,DC=NTWEEKLY,DC=COM"
Get Password
To get the local administrator password from a machine that is under LAPS configuration, I will you the LAPS UI client.
From the client, I will type the name of the computer and click search.
The result will show me the local password.
