What is Local Administrator Password Solution (LAPS)?
The Local Administrator Password Solution, generally abbreviated as LAPS, is a tool developed by Microsoft to manage local administrator passwords on Windows computers. Since the local administrator passwords are changed very rarely and reused across hundreds of computers in an organization, there is a massive threat to the security of the organization. In order to overcome this difficulty, LAPS was introduced.
In LAPS, the passwords are stored in Active Directory and protected using Access Control Lists (ACL). Hence, only eligible users are allowed to read or request the reset of passwords. This eliminates the need for additional computers or third-party software for managing and storing local admin passwords.
How to Install LAPS?
The installation of LAPS can be divided into three major steps:
- Installation of the Group Policy Client Side Extension (GP CSE) via MSI installation
- Active Directory Preparation, which includes schema extension and permission updates
- Group Policy configuration
Installation of LAPS
The Local Administrator Password Solution can be installed by following the steps given below.
- Download the Local Administrator Password Solution (LAPS) installation file from Microsoft. LAPS is composed of three components:
- The Interface, which is a PowerShell module and a Fat client UI
- AD schema extension and Group Policy extension
- The client-side component, which performs the password reset and updates
- Log on to the target server which possesses the local administrator rights.
- In the Local Administrator Password Solution Setup Wizard welcome screen, click on Next.
- Select the available components, namely the AdmPwd GPO Extension, Fat client UI, PowerShell module, and the GPO Editor templates, and click on Next.
Extension of Active Directory Schema
The Active Directory schema needs to be extended before the deployment of LAPS, in order to add two new computer attributes. These are ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. The ms-Mcs-AdmPwdattribute is used to store the local administrator password in clear text. The ms-Mcs-AdmPwdExpirationTime attribute is used to store the time until which the password expires. In order to do this, the user needs to be a member of the Schema Admins group. To extend the AD schema, run the following commands using the PowerShell module provided by Microsoft.
Import-module AdmPwd.PS
Update-AdmPwdADSchema
The first command is used to import the AdmPwd.ps module, whereas the second command is used to extend the Active Directory schema.
Setting the Required Admin Permissions
Access to the administrator password is restricted by the confidential AD attributes mechanism and can be read by the domain users with the “All Extended Rights” privilege. By default, only the Domain Admins group and the local system account have access to the passwords stored in Active Directory. Other users and groups must be restricted access to these passwords. The list of users and groups who possess these permissions from the OU “Workstations” can be found using the following PowerShell command.
Find-AdmPwdExtendedRights -Identity “Workstations” | ft
This displays the list of users and groups with access to the passwords. To deny this access for specific users or groups, follow the steps given below.
- Open the ADSIEdit tool. Connect to the Default naming context.
- Locate the required OU (for example, Workstations), right-click on it, and select the Properties option.
- In the Security tab, select Advanced > Add.
- In the Select Principal section, select the security principal to be modified.
- In the Permissions section, uncheck the All Extended Rights checkbox to remove the corresponding permission and click OK.
To grant access to the computers to update their own admin passwords and the extended attributes, use the following command.
Set-AdmPwdComputerSelfPermission -Identity “Workstations”
Configuring LAPS Group Policy Settings
A new Group Policy needs to be created to configure the LAPS client component. This has to be linked to the required OU which contains the computers for which the local admin passwords need to be managed. This can be done using the steps given as follows.
- Open the Group Policy Management Console (GPMC), locate the required organizational unit (OU), and right-click on it.
- Select the Create a GPO in this domain, and Link it here option. Enter an appropriate name for the Group Policy and click OK.
- Right-click on the newly created GPO and select the Edit option.
- Navigate to Computer Configuration > Policies > Administrative Templates > LAPS.
- Configure the following settings according to your requirements.
- Password Settings – Set this to Enabled. This allows you to set the password complexity, length, and age.
- Name of administrator account to manage – If there is a specific account to be managed, select Enabled and enter the name of the account. Else, do not configure this setting.
- Do not allow password expiration time longer than allowed by policy – Set this to Enabled.
- Enable local admin password management – Set this to Enabled.
Installation of LAPS on Domain Computers using Group Policy Object
Once the Group Policy has been configured, the LAPS client needs to be installed on the domain computers. The LAPS client is a tool that runs on each Windows computer to ensure that the local password complies with the policy. This can be done in several ways such as manually, using GPO, via SCCM, logon script, or a third-party software tool.
The configuration of the client using Group Policy can be done using the steps given as follows.
- Place the installation file on a shared network folder that can be accessed by all the users and machines.
- Open the Group Policy Management Console (GPMC) and navigate to Computer Configuration > Policies > Software Settings > Software Installation.
- Right-click on Software Installation and select New > Package.
- Select the installer and click Open by browsing to the appropriate shared folder. Select the appropriate bit version.
- In the Deploy Software window, select the Assigned option and click OK. This ensures that the software is delivered to the machines without intervention by the users.
- The new software installation settings can be seen in the Group Policy settings. Close the GPMC.
Thus the client is installed on the domain computers using Group Policy Objects. This might take a few hours to be delivered to all the machines.
Accessing Local Administrator Passwords using LAPS
In order to access the administrator passwords, the LAPS GUI needs to be installed on the administrator computers. Open the GUI and specify the computer name. The local administrator password and its expiration date are displayed. The expiration time can also be set by the user. The following PowerShell command can also be used to query the password for a single computer or multiple computers.
Get-AdmPwdPassword -ComputerName "AZ-0183-3116-95"
Limitations of Using LAPS
Though LAPS is used to overcome the difficulties faced while using Group Policy Preferences (GPP) to change passwords on domain computers, it has the following limitations.
- The Active Directory schema needs to be updated in order to use LAPS. While this is possible for some organizations, it is challenging for other organizations to update or change the schema.
- Only the local administrator accounts on domain-joined computers can be managed by LAPS.
- The passwords are stored in clear text and hence possess the risk of being exposed when they are not delegated properly.