In this blog post, I will show you how to install and configure Local Administrator Password Solutions (LAPS) on Windows Server 2019 Active Directory infrastructure.
LAPS is a free solution from Microsoft that allows us to rotate and change the local user accounts password on domain-joined Active Directory machines.
LAPS is working by installing the LAPS client on each machine you would like to manage the local password.
On the server-side, we need to install LAPS tools that include the following:
- GPO templates
- PowerShell modules
- LAPS Client UI
To get started, go ahead and download the LAPS tools and client from the link below.
Install on Server
In my case, I am going to install LAPS on a management server and not on my domain controller, which is a Server Core.
Update Active Directory Schema
After installing the LAPS tools on my management machine, I will update the schema using the following cmdlets.
Copy LAPS Group Policy Templates
After installing the GPO templates, the wizard will place them in the following location.
These files need to be copied to the Policy Definition store on your local DC or to the central store if y you use one.
After copying the template, let’s open GPMC and create a Group Policy for LAPS.
If you expand the Polices -> Computer configuration -> Administrative templates -> LAPS you will see the polices for LAPS.
In my case, I will use the following settings:
Password Settings – This is where we control the password settings.
Name of the administrator account to manage – In this settings, I will select Administrator.
The last configuration step involves settings the LAPS permissions on the OU you need LAPS to control password.
In my case the OU name is MGMT, and you can see the full path.
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=MGMT,OU=SERVERS,DC=CORP,DC=NTWEEKLY,DC=COM"
To get the local administrator password from a machine that is under LAPS configuration, I will you the LAPS UI client.
From the client, I will type the name of the computer and click search.
The result will show me the local password.