Local Administrator Password Solution (LAPS) is a Microsoft product that manages the local administrator password and stores it in Active Directory (AD). This solution automatically updates the password on a routine basis. The Microsoft Infrastructure (MI) team has implemented the LAPS schema extensions and created a default set of permissions to retrieve a password stored in AD.
Use of LAPS by Delegated OU customers is optional, but is generally recommended.
It is the Delegated OU customer’s responsibility to enable and configure LAPS for client computers, and manage access to the stored passwords. The customer’s side of the LAPS implementation consists of three parts, a client side extension (CSE), Group Policy Object (GPO) administrative template files (ADMX files) and a GPO to apply desired LAPS settings on computers, and administrative tools used to retrieve the stored password.
How to implement LAPS
Download the LAPS installation media, available here at the time of this writing.
Preparing a target computer
Install the CSE on a target computer. The CSE is a single dll file that contains the logic for processing the password settings, changing the password and storing the new password in active directory. The CSE can be installed in one of two ways:
- Run setup and choose AdmPwd GPO Extension. It is not necessary to install any other component on the managed computer. Using the installer has the benefit of the program being visible in add/remove programs.
- Alternatively, copy admpwd.dll to a target computer and register it with regsvr32, i.e. regsvr32.exe /i admpwd.dll.
You can leverage tools to automate one of these options at scale, for example, Group Policy can be used to deploy the installation.
Creating a GPO
In order to create a GPO to enable and configure LAPS, install the admx files by running setup and choosing the option to install GPO Editor Templates.
Then, create a new GPO or modify an existing GPO. The admx files will create four new settings that are available when editing a GPO. These new settings are at Computer Configuration | Policies | Administrative Templates | LAPS. Update the settings as desired. Note that you must set LAPS to enable in the GPO in order for LAPS to function. The available settings are:
- Set LAPS to enabled. This setting is required to enable LAPS.
- Set Administrator account name. This setting is only useful if you want to manage an account other than the local administrator account. We *strongly* advise you not to use this setting. If you are setting this, ask us for help first.
- Set password settings. This setting allows you to configure the password length and strength. It is optional, and the defaults are pretty good.
- Set “Do not allow longer expiration”. This setting controls whether (Optional)
Apply the GPO to an Organizational Unit (OU) where you want to enable LAPS for all the computers underneath that OU.
Retrieving a password
The password can be retrieved using three common tools:
- Active Directory Users and Computers (ADUC),
- PowerShell, and
- a fat client
But any LDAP client can also be used.
If a user without permission tries to view a password they will simply see the value “<not set>”.
ADUC password retrieval
Using ADUC, open the target computer object, click the attribute tab, scroll through the attributes and find the field ms-Mcs-AdmPwd.
PowerShell and Fat Client installation
To use PowerShell or the fat client, run setup and install the PowerShell CmdLets and/or Fat Client as desired. These tools can be installed individually and are not dependent upon the CSE or admx files to be installed on the same machine.
Powershell password retrieval
To retrieve a password using PowerShell, issue the following command.
Get-AdmPwdPassword –ComputerName <ComputerName>
The password will be one of the returned attributes, it will be blank if the user does not have permission to read the password.
Fat client password retrieval
To retrieve a password using the fat client, run C:\Program Files\LAPS\admPwd.UI.exe. Enter a computer name in the search field to retrieve a password. The password will be returned, or will be blank if the user does not have permission to read the password
Read password permissions
By default, each delegated OU has a LAPS Readers group that has permission to read the password for all computer objects in a delegated OU. For example, the Pottery OU has u_msinf_delou_pottery_lapsreaders. Each IT support organization can manage membership of this group to grant or deny the ability to retrieve a password. Only members of your OU Contacts group can manage your OU’s LAPS Readers group. For example the Pottery OU Contacts is u_msinf_delou_pottery_oucontacts. To manage the members of this group navigate to the Groups Service, search for your Laps Readers group and add/remove members as necessary.
The MI team recognizes that there are more complex business needs that a single LAPS reader group cannot accommodate. Please contact us with an email to firstname.lastname@example.org to request help designing and implementing more granular permission structure.
LAPS is a Microsoft solution and you can find more at https://technet.microsoft.com/en-us/mt227395.aspx.
Microsoft provides risk analysis related to LAPS here: https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solution-laps-implementation-hints-and-security-nerd-commentary-including-mini-threat-model/
The Microsoft Infrastructure team analysis of local admin password management problem space is here: https://wiki.cac.washington.edu/x/HFCIB.