LAPS (Local Administrator Password Solution)
Local Administrator Password Solution (LAPS) "is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it."
Work in progress - I'm still pulling over and organizing my notes from this Webinar
- Create new GPO in
Group Policy Objects
calledLAPS-workstations
- Go to
Computer Configuration > Policies > Admin Templates > System > LAPS
- Touch the following settings:
Name of admin account to manage
- don't actually configure it if you just want to admin the local admin, but if it's likettadmin
then enable it- Edit
Configure password backup directory
- enableActive Directory
- For
Password Settings
enable it and set the settings - Do the
Enable Password Encryption
- Do
Configure size of encrypted password history
and change it to something appropriate - Do
Gpupdate /force
- On DC, do `Event Viewer > Applications and Services Logs > Microsoft > Windows > LAPS > Operational Logs
- On machine, do the same thing and then note error 10012!
- Powershell stuff!
gcm -module laps
Update-LapsADSchema -verbose
- sayA
for all.
Set-LapsADComputerSelfPermission -Identity 'OU=Students,DC=tangent,DC=town'
Gpupdate force on DC, gpupdateforce on machine
Then:
get-lapsadpassword -identity tt-dt01
get-lapsadpassword -identity tt-dt01 -asplaintext
Show in ADUC how cool things are!
Back to policy, adjust post-authentication actions
Now change the password manually
Then do:
get-lapsadpassword -identity tt-dt01 -asplaintext -includehistory
Do DSRM stuff:
- New policy on the DCs
- Enable password backup for DSRM
- Enable pw encryption
- Configure password backup directory
- Password SEttings
Delegate access to people:
Set-LapsADReadPasswordPermission -Identity Students -AllowedPrincipals "tangent\Tangent Town Students"
Good reference guide: https://www.ravenswoodtechnology.com/6-tips-to-harden-your-windows-laps-deployment/
Powershell script to get all laps passwords:
Get-LapsADPassword -Identity (get-adcomputer -filter *) -AsPlainText | select computername,password,expirationtimestamp