Install Local Administrator Password Solution (LAPS)

In this article I’ll will explain how to install Local Administrator Password Solution (LAPS) to manage the local administrator passwords on Windows 10, Windows Server 2016 and Windows Server 2019 computers.

Installation Local Administrator Password Solution (LAPS)

Double click the LAPS.x64.msi from the downloaded files folder.

Click Next to continue.

Accept Terms and click Next to continue.

Install all the Management Tools. If you plan to manage this computer, you can also install the AdmPwd GPO Extension, click Next to continue.

Click Install.

Click Finish.

In the start Menu, LAPS UI is available.

Update the schema

Update password and expiration time

The write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password. This is managed per OU.

Run the following command to add the rights to SELF built-in account to a specific OU:

Read password

To allow users or groups to read the stored password of the managed local administrator account, the Control_access permission must be given to ms-Mcs-AdmPwd attribute. To do so, run the following PowerShell command:

Reset password

To allow users or groups to reset the password for a managed local administrator account, the write permission must be added on ms-Mcs-AdmPwdExpirationTime. To do so, run the following PowerShell command:

Group Policy

LAPS is manageable by GPO using a new template. The templates are located on the management computer:

  • %WINDIR%\PolicyDefinitions\AdmPwd.admx
  • %WINDIR%\PolicyDefinitions\en-US\AdmPwd.adml

If you use the Central Store, you need to copy both files to \\domain\Sysvol\Policies\PolicyDefinition.

You can find these settings under Computer Configuration -> Administrative Templates -> LAPS.

Installation Local Administrator Password Solution on client computers

To manage a client, we must install LAPS by using the same MSI files downloaded as described above “Installation Local Administrator Password Solution (LAPS)“.

Read and reset passwords

  • Start LAPS UI
  • Search for computer name
  • Password is available with expire date and time
  • To reset the password, select a new expiration time and click Set. Status of the request is displayed at the bottom.
  • Click search after a minute or two, and a new password with expiration time will be available

News Source: Systemcenterdudes

About Lex van der Horst 201 Articles

Be the first to comment

Leave a Reply