LAPS (Local Administrator Password Solution)

Work in progress - I'm pulling over and organizing my notes from this Webinar

1. Create new GPO in Group Policy Objects called LAPS-workstations
2. Go to Computer Configuration > Policies > Admin Templates > System > LAPS
3. Touch the following settings:
   1. Name of admin account to manage - don't actually configure it if you just want to admin the local admin, but if it's like ttadmin then enable it
   2. Edit Configure password backup directory - enable Active Directory
   3. For Password Settings enable it and set the settings
   4. Do the Enable Password Encryption
   5. Do Configure size of encrypted password history and change it to something appropriate
   6. Do Gpupdate /force
   7. On DC, do `Event Viewer > Applications and Services Logs > Microsoft > Windows > LAPS > Operational Logs
   8. On machine, do the same thing and then note error 10012!
   9. Powershell stuff!
      1. gcm -module laps
      2. Update-LapsADSchema -verbose - say A for all.

Set-LapsADComputerSelfPermission -Identity 'OU=Students,DC=tangent,DC=town'

Gpupdate force on DC, gpupdateforce on machine

Then:

get-lapsadpassword -identity tt-dt01 get-lapsadpassword -identity tt-dt01 -asplaintext

Show in ADUC how cool things are!

Back to policy, adjust post-authentication actions

Now change the password manually

Then do:

get-lapsadpassword -identity tt-dt01 -asplaintext -includehistory

Do DSRM stuff:

• New policy on the DCs
• Enable password backup for DSRM
• Enable pw encryption
• Configure password backup directory
• Password SEttings

Delegate access to people:

Set-LapsADReadPasswordPermission -Identity Students -AllowedPrincipals "tangent\Tangent Town Students"

Good reference guide: https://www.ravenswoodtechnology.com/6-tips-to-harden-your-windows-laps-deployment/

Powershell script to get all laps passwords:

Get-LapsADPassword -Identity (get-adcomputer -filter *) -AsPlainText | select computername,password,expirationtimestamp