Skip to main content

LAPS (Local Administrator Password Solution)

Local Administrator Password Solution (LAPS) "is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it."

warning

Work in progress - I'm still pulling over and organizing my notes from this Webinar

  1. Create new GPO in Group Policy Objects called LAPS-workstations
  2. Go to Computer Configuration > Policies > Admin Templates > System > LAPS
  3. Touch the following settings:
    1. Name of admin account to manage - don't actually configure it if you just want to admin the local admin, but if it's like ttadmin then enable it
    2. Edit Configure password backup directory - enable Active Directory
    3. For Password Settings enable it and set the settings
    4. Do the Enable Password Encryption
    5. Do Configure size of encrypted password history and change it to something appropriate
    6. Do Gpupdate /force
    7. On DC, do `Event Viewer > Applications and Services Logs > Microsoft > Windows > LAPS > Operational Logs
    8. On machine, do the same thing and then note error 10012!
    9. Powershell stuff!
      1. gcm -module laps
      2. Update-LapsADSchema -verbose - say A for all.
Set-LapsADComputerSelfPermission -Identity 'OU=Students,DC=tangent,DC=town'

Gpupdate force on DC, gpupdateforce on machine

Then:

get-lapsadpassword -identity tt-dt01 get-lapsadpassword -identity tt-dt01 -asplaintext

Show in ADUC how cool things are!

Back to policy, adjust post-authentication actions

Now change the password manually

Then do:

get-lapsadpassword -identity tt-dt01 -asplaintext -includehistory

Do DSRM stuff:

  • New policy on the DCs
  • Enable password backup for DSRM
  • Enable pw encryption
  • Configure password backup directory
  • Password SEttings

Delegate access to people:

Set-LapsADReadPasswordPermission -Identity Students -AllowedPrincipals "tangent\Tangent Town Students"

Good reference guide: https://www.ravenswoodtechnology.com/6-tips-to-harden-your-windows-laps-deployment/

Powershell script to get all laps passwords:

Get-LapsADPassword -Identity (get-adcomputer -filter *) -AsPlainText | select computername,password,expirationtimestamp