Introduction
Windows LAPS, which stands for “Local Administrator Password Solution,” is a Microsoft tool designed to enhance security in an Active Directory environment by automatically managing and rotating the passwords of local administrator accounts on Windows computers. The primary goal of LAPS is to prevent attackers from easily exploiting a common vulnerability – the use of the same local administrator password on multiple machines.
How LAPS works:
- Password Rotation: LAPS automatically generates a random and unique password for each computer’s local administrator account. These passwords are stored in Active Directory as a secure attribute.
- Security: Passwords are stored in a restricted Active Directory attribute, and only authorized users or systems have access to view these passwords. The permissions are set in a way that limits access to the passwords.
- Password Retrieval: LAPS provides tools to authorized users (e.g., IT administrators) to retrieve the local administrator password for a specific computer when needed. This retrieval is logged for auditing purposes.
- Password Expiry: LAPS allows you to set an expiration date for the local administrator password. When the password expires, LAPS generates a new one.
- Group Policy Integration: LAPS is managed through Group Policy, making it easier to deploy and configure for a large number of computers.
The use of LAPS significantly improves security by reducing the risk associated with using the same default local administrator password on all computers in a network. If an attacker gains access to the password on one machine, they won’t automatically have access to all other machines, as the passwords are unique.
LAPS is particularly valuable in environments where many computers are joined to an Active Directory domain, such as enterprises, educational institutions, and government organizations. It helps to mitigate the risks associated with local administrator accounts while also ensuring that IT administrators can access these accounts when needed for troubleshooting and maintenance.
LAPS Requirement
- Client operating systems -
Windows Server 20222, Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows 8, Windows Vista, Windows 8.1
- Active Directory –
Windows Server 2003 SP1 or later (including Windows server 2022)
- Management Tools –
PowerShell 2.0 or later, .Net Framework 4.0 or later
How Configure Microsoft Local Administrator Password Solution (LAPS)
Please review the requirement first before proceeding with these steps:
Install LAPS installer.
-
Download the LAPS installer from the following link: https://www.microsoft.com/en-us/download/details.aspx?id=46899
-
Install the
LAPS.x64.msi
(Choose to install all component) -
Launch the
Powershell
and run the follwoing command to Update Active Directory Schema.
Import-module AdmPwd.PS
Update-AdmPwdADSchema
- After schema update, we wil see the following additional
ms-Mcs-AdmPwd
andms-Mcs-AdmPwdExpirationTime
attributes onAttribute Editor
- Change Computer object permissions on the OU that contains workstations/servers that you wanto manage throug LAPS:
Set-AdmPwdComputerSelfPermission -OrgUnit LAPSservers
If there is more than one OU with the same name, use distinguishedName
format as the following:
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=LAPSservers,OU=Servers,DC=amanulloh,DC=com"
- Assign permissions to the group for password access. You can create a dedicated Group admin to manage this.
Set-AdmPwdReadPasswordPermission -Identity "LAPSservers" -AllowedPrincipals "LAPSAdmins"
Or, use distinguishedName
format.
Set-AdmPwdReadPasswordPermission -Identity "OU=LAPSservers,OU=Servers,DC=amanulloh,DC=com" -AllowedPrincipals "LAPSAdmins"
- By default, the member of
Domain Admins
group has the priviledges to force reset the local password. If you want to split the groups that need to manage the LAPS outside of theDomain Admin
member, you must grant the group for reset password:
Set-AdmPwdResetPasswordPermission -OrgUnit LAPSservers -AllowedPrincipals "LapsAdmins"
Or,
Set-AdmPwdResetPasswordPermission -OrgUnit "OU=LAPSservers,OU=Servers,DC=amanulloh,DC=com" -AllowedPrincipals "LapsAdmins"
- To check to see who is granted these permissions, use the following
Find-AdmPwdExtendedRights -Identity "LAPSservers" | fl
Find-AdmPwdExtendedRights -Identity "OU=LAPSservers,OU=Servers,DC=amanulloh,DC=com" | fl
- Create a shared folder and upload the
LAPS.x64.msi
installer to it. This shared folder will be added into GPO, so make sure it’s accesible from the network. - Create a new GPO on the OU contains workstations/servers that you wan to manage through LAPS and edit the following.
Computer Configuration->Policies->Software Setting->New package
add the LAPS.x64.msi
via a shared folder.
Computer Configuration->Administrative Template->LAPS
and configure the LAPS policy follow you requirement
Testing
Run gpupdate /force
on the client. Typically this requires a server reboot. So be carefull and do not reboot the production server without confirmation futher.
To testing the LAPS, you can use the LAPS UI
to retreive the password using the followng powershell command:
Get-AdmPwdPassword -ComputerName SRV01
Or just from the LAPS UI.
Get-LapsADPassword -Identity COMPUTERNAME -AsPlainText
Force Reset the paswword.
There are 2 ways to force resetting the local admin password.
- From the LAPS UI, open the app, and click the
Set
button on the UI. After the client updated the policy, the password will immediately be changed. - Using Powershell.
Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>
Logging
After deploying the LAPS, you will see a LAPS
folder on EventViewer that will log any activity related to LAPS with eventID: 10029
, 10023
Removing the legacy LAPS software from managed device
C:\>msiexec.exe /q /uninstall {97E2CA7B-B657-4FF7-A6DB-30ECC73E1E28}
If you installed legacy LAPS by manually copying and registering the legacy LAPS CSE dll
regsvr32.exe /s /u AdmPwd.dll
delete AdmPwd.dll
Removing Extended Right
ADSIEdit->Right Click on the OU that contains the computer accounts ->Security->Advanced->Edit
Uncheck All extended rights