Introduction

Windows LAPS, which stands for “Local Administrator Password Solution,” is a Microsoft tool designed to enhance security in an Active Directory environment by automatically managing and rotating the passwords of local administrator accounts on Windows computers. The primary goal of LAPS is to prevent attackers from easily exploiting a common vulnerability – the use of the same local administrator password on multiple machines.

How LAPS works:

  • Password Rotation: LAPS automatically generates a random and unique password for each computer’s local administrator account. These passwords are stored in Active Directory as a secure attribute.
  • Security: Passwords are stored in a restricted Active Directory attribute, and only authorized users or systems have access to view these passwords. The permissions are set in a way that limits access to the passwords.
  • Password Retrieval: LAPS provides tools to authorized users (e.g., IT administrators) to retrieve the local administrator password for a specific computer when needed. This retrieval is logged for auditing purposes.
  • Password Expiry: LAPS allows you to set an expiration date for the local administrator password. When the password expires, LAPS generates a new one.
  • Group Policy Integration: LAPS is managed through Group Policy, making it easier to deploy and configure for a large number of computers.

The use of LAPS significantly improves security by reducing the risk associated with using the same default local administrator password on all computers in a network. If an attacker gains access to the password on one machine, they won’t automatically have access to all other machines, as the passwords are unique.

LAPS is particularly valuable in environments where many computers are joined to an Active Directory domain, such as enterprises, educational institutions, and government organizations. It helps to mitigate the risks associated with local administrator accounts while also ensuring that IT administrators can access these accounts when needed for troubleshooting and maintenance.

LAPS Requirement

  1. Client operating systems - Windows Server 20222, Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows 8, Windows Vista, Windows 8.1
  2. Active Directory – Windows Server 2003 SP1 or later (including Windows server 2022)
  3. Management Tools – PowerShell 2.0 or later, .Net Framework 4.0 or later

How Configure Microsoft Local Administrator Password Solution (LAPS)

Please review the requirement first before proceeding with these steps:

Install LAPS installer.

  1. Download the LAPS installer from the following link: https://www.microsoft.com/en-us/download/details.aspx?id=46899

  2. Install the LAPS.x64.msi (Choose to install all component)

  3. Launch the Powershell and run the follwoing command to Update Active Directory Schema.

Import-module AdmPwd.PS

Update-AdmPwdADSchema
  1. After schema update, we wil see the following additional ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes on Attribute Editor
  2. Change Computer object permissions on the OU that contains workstations/servers that you wanto manage throug LAPS:
Set-AdmPwdComputerSelfPermission -OrgUnit LAPSservers

If there is more than one OU with the same name, use distinguishedName format as the following:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=LAPSservers,OU=Servers,DC=amanulloh,DC=com"
  1. Assign permissions to the group for password access. You can create a dedicated Group admin to manage this.
Set-AdmPwdReadPasswordPermission -Identity "LAPSservers" -AllowedPrincipals "LAPSAdmins"

Or, use distinguishedName format.

Set-AdmPwdReadPasswordPermission -Identity "OU=LAPSservers,OU=Servers,DC=amanulloh,DC=com" -AllowedPrincipals "LAPSAdmins"
  1. By default, the member of Domain Admins group has the priviledges to force reset the local password. If you want to split the groups that need to manage the LAPS outside of the Domain Admin member, you must grant the group for reset password:
Set-AdmPwdResetPasswordPermission -OrgUnit LAPSservers -AllowedPrincipals "LapsAdmins"

Or,

Set-AdmPwdResetPasswordPermission -OrgUnit "OU=LAPSservers,OU=Servers,DC=amanulloh,DC=com" -AllowedPrincipals "LapsAdmins"
  1. To check to see who is granted these permissions, use the following
Find-AdmPwdExtendedRights -Identity "LAPSservers" | fl

Find-AdmPwdExtendedRights -Identity "OU=LAPSservers,OU=Servers,DC=amanulloh,DC=com" | fl
  1. Create a shared folder and upload the LAPS.x64.msi installer to it. This shared folder will be added into GPO, so make sure it’s accesible from the network.
  2. Create a new GPO on the OU contains workstations/servers that you wan to manage through LAPS and edit the following.
Computer Configuration->Policies->Software Setting->New package

add the LAPS.x64.msi via a shared folder.

Computer Configuration->Administrative Template->LAPS

and configure the LAPS policy follow you requirement

Testing

Run gpupdate /force on the client. Typically this requires a server reboot. So be carefull and do not reboot the production server without confirmation futher.

To testing the LAPS, you can use the LAPS UI to retreive the password using the followng powershell command:

Get-AdmPwdPassword -ComputerName SRV01

Or just from the LAPS UI.

Get-LapsADPassword -Identity COMPUTERNAME -AsPlainText

Force Reset the paswword.

There are 2 ways to force resetting the local admin password.

  • From the LAPS UI, open the app, and click the Set button on the UI. After the client updated the policy, the password will immediately be changed.
  • Using Powershell.
Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>

Logging

After deploying the LAPS, you will see a LAPS folder on EventViewer that will log any activity related to LAPS with eventID: 10029, 10023

Removing the legacy LAPS software from managed device

C:\>msiexec.exe /q /uninstall {97E2CA7B-B657-4FF7-A6DB-30ECC73E1E28}

If you installed legacy LAPS by manually copying and registering the legacy LAPS CSE dll

regsvr32.exe /s /u AdmPwd.dll
delete AdmPwd.dll

Removing Extended Right

ADSIEdit->Right Click on the OU that contains the computer accounts ->Security->Advanced->Edit Uncheck All extended rights