We recently covered preparing Active Directory and deploying the LAPS CSE/Client to the machines you wish to manage in part 1 of deploying Microsoft LAPS. Part 2 covers “Turning on” LAPS via Group Policy, the LAPS process and how it works once deployed.
On your LAPS management machine, head to C:\Windows\PolicyDefinitions, there you will find AdmPwd.admx and AdmPwd.adml (under en-US). Copy these files into your Group Policy Central Store, if you do not have a Central Store (and do not which to create one) you can launch Group Policy Management Console directly from your management machine, or copy the ADMX/ADML to a Domain Controller where you will be editing the policy.
Create a new GPO and navigate to Computer configuration -> Policies -> Administrative Templates -> LAPS
This is where you’ll choose your password policy. The default is complex passwords, 14 chars and a password age of 30 days (machines will automatically change their password when this is met).
Name of administrator account to manage
In part 1 we deployed a custom local administrator account of LocalAdmin, this is the account I wish to manage. Leave this set to “not configured” to manage the default Administrator account (-500).
Enable local admin password management
Enable this setting to turn LAPS on.
Do not allow password expiration time longer than required by policy
When you enable this setting, planned password expiration longer than password age dictated by “Password Settings” policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.
Link the GPO to the OU with the computer objects you wish to manage with LAPS (and that you have deployed the LAPS client to).
The LAPS process
- Machine with LAPS CSE queries Group Policy and receives the LAPS policy settings defined above
- Machine queries ms-Mcs-AdmPwdExpirationTime, if not set, or expired it will generate a new password and set this locally and securely write this value to the mc-Mcs-AdmPwd attribute in Active Directory
- Password is now set locally, stored in Active Directory and is ready for use
- The LAPS CSE will query this value on each Group Policy update, when the ms-Mcs-AdmPwdExpirationTime is met, or the attribute is not set it will re-generate a new password
- If machine cannot contact Active Directory, no changes are made
If you’ve followed all of the steps so far, the solution will now be fully deployed. There are various ways you can view the password set by LAPS. The most obvious choice, and probably what most people will default to using is the LAPS UI, which is installed as part of the LAPS management tools.
1. LAPS UI – Simply run the UI, type the computer name and click search.
Note the Set button. This allows you to manually manage when the password is re-generated for a given machine. If you want to expire the password immediately, click set with the current date and time. The next time the computer performs a gpupdate, it will check the ms-Mcs-AdmPwdExpirationTime attribute which will force it to re-generate a password (as it will have expired). You can also set it to a specific date and time if required.
2. Powershell – Get-AdmPwdPassword cmdlet
3. Active Directory Users and Computer (DSA.MSC) – Make sure you have advanced features ticked from the view tab.
Note the expiry time is in NT system time, to convert to a readable format, use w32tm /ntte %ms-Mcs-AdmPwdExpirationTime%.
If you’re looking at a Local Administrator Password solution, currently using GPPs to deploy Local Administrator accounts or simply want to increase the security of your machines LAPS is absolutely something you should look to implement. I hope you’ve found these posts helpful, and good luck!