LAPS - Manage Local Administrator Passwords on Domain Computers

LAPS - Manage Local Administrator Passwords on Domain Computers

What is Local Administrator Password Solution (LAPS)?

The Local Administrator Password Solution, generally abbreviated as LAPS, is a tool developed by Microsoft to manage local administrator passwords on Windows computers. Since the local administrator passwords are changed very rarely and reused across hundreds of computers in an organization, there is a massive threat to the security of the organization. In order to overcome this difficulty, LAPS was introduced.

In LAPS, the passwords are stored in Active Directory and protected using Access Control Lists (ACL). Hence, only eligible users are allowed to read or request the reset of passwords. This eliminates the need for additional computers or third-party software for managing and storing local admin passwords.

How to Install LAPS?

The installation of LAPS can be divided into three major steps:
  1. Installation of the Group Policy Client Side Extension (GP CSE) via MSI installation
  2. Active Directory Preparation, which includes schema extension and permission updates
  3. Group Policy configuration

Installation of LAPS

The Local Administrator Password Solution can be installed by following the steps given below.
  1. Download the Local Administrator Password Solution (LAPS) installation file from Microsoft. LAPS is composed of three components:
  2. The Interface, which is a PowerShell module and a Fat client UI
  3. AD schema extension and Group Policy extension
  4. The client-side component, which performs the password reset and updates
  5. Log on to the target server which possesses the local administrator rights.
  6. In the Local Administrator Password Solution Setup Wizard welcome screen, click on Next.
  7. Select the available components, namely the AdmPwd GPO Extension, Fat client UI, PowerShell module, and the GPO Editor templates, and click on Next.

Extension of Active Directory Schema

The Active Directory schema needs to be extended before the deployment of LAPS, in order to add two new computer attributes. These are ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. The ms-Mcs-AdmPwdattribute is used to store the local administrator password in clear text. The ms-Mcs-AdmPwdExpirationTime attribute is used to store the time until which the password expires. In order to do this, the user needs to be a member of the Schema Admins group. To extend the AD schema, run the following commands using the PowerShell module provided by Microsoft.

Import-module AdmPwd.PS
Update-AdmPwdADSchema

The first command is used to import the AdmPwd.ps module, whereas the second command is used to extend the Active Directory schema.

Setting the Required Admin Permissions

Access to the administrator password is restricted by the confidential AD attributes mechanism and can be read by the domain users with the “All Extended Rights” privilege. By default, only the Domain Admins group and the local system account have access to the passwords stored in Active Directory. Other users and groups must be restricted access to these passwords. The list of users and groups who possess these permissions from the OU “Workstations” can be found using the following PowerShell command.

Find-AdmPwdExtendedRights -Identity “Workstations” | ft

This displays the list of users and groups with access to the passwords. To deny this access for specific users or groups, follow the steps given below.
  1. Open the ADSIEdit tool. Connect to the Default naming context.
  2. Locate the required OU (for example, Workstations), right-click on it, and select the Properties option.
  3. In the Security tab, select Advanced > Add.
  4. In the Select Principal section, select the security principal to be modified.
  5. In the Permissions section, uncheck the All Extended Rights checkbox to remove the corresponding permission and click OK.
To grant access to the computers to update their own admin passwords and the extended attributes, use the following command.
Set-AdmPwdComputerSelfPermission -Identity “Workstations”

Configuring LAPS Group Policy Settings

A new Group Policy needs to be created to configure the LAPS client component. This has to be linked to the required OU which contains the computers for which the local admin passwords need to be managed. This can be done using the steps given as follows.
  1. Open the Group Policy Management Console (GPMC), locate the required organizational unit (OU), and right-click on it.
  2. Select the Create a GPO in this domain, and Link it here option. Enter an appropriate name for the Group Policy and click OK.
  3. Right-click on the newly created GPO and select the Edit option.
  4. Navigate to Computer Configuration > Policies > Administrative Templates > LAPS.
  5. Configure the following settings according to your requirements.
  6. Password Settings – Set this to Enabled. This allows you to set the password complexity, length, and age.
  7. Name of administrator account to manage – If there is a specific account to be managed, select Enabled and enter the name of the account. Else, do not configure this setting.
  8. Do not allow password expiration time longer than allowed by policy – Set this to Enabled.
  9. Enable local admin password management – Set this to Enabled.

Installation of LAPS on Domain Computers using Group Policy Object

Once the Group Policy has been configured, the LAPS client needs to be installed on the domain computers. The LAPS client is a tool that runs on each Windows computer to ensure that the local password complies with the policy. This can be done in several ways such as manually, using GPO, via SCCM, logon script, or a third-party software tool.

The configuration of the client using Group Policy can be done using the steps given as follows.
  1. Place the installation file on a shared network folder that can be accessed by all the users and machines.
  2. Open the Group Policy Management Console (GPMC) and navigate to Computer Configuration > Policies > Software Settings > Software Installation.
  3. Right-click on Software Installation and select New > Package.
  4. Select the installer and click Open by browsing to the appropriate shared folder. Select the appropriate bit version.            
  5. In the Deploy Software window, select the Assigned option and click OK. This ensures that the software is delivered to the machines without intervention by the users.
  6. The new software installation settings can be seen in the Group Policy settings. Close the GPMC.
Thus the client is installed on the domain computers using Group Policy Objects. This might take a few hours to be delivered to all the machines.

Accessing Local Administrator Passwords using LAPS

In order to access the administrator passwords, the LAPS GUI needs to be installed on the administrator computers. Open the GUI and specify the computer name. The local administrator password and its expiration date are displayed. The expiration time can also be set by the user. The following PowerShell command can also be used to query the password for a single computer or multiple computers.

Get-AdmPwdPassword -ComputerName "AZ-0183-3116-95"

Limitations of Using LAPS

Though LAPS is used to overcome the difficulties faced while using Group Policy Preferences (GPP) to change passwords on domain computers, it has the following limitations.
  1. The Active Directory schema needs to be updated in order to use LAPS. While this is possible for some organizations, it is challenging for other organizations to update or change the schema.
  2. Only the local administrator accounts on domain-joined computers can be managed by LAPS.
  3. The passwords are stored in clear text and hence possess the risk of being exposed when they are not delegated properly.
    • Related Articles

    • Microsoft LAPS - Local Administrator Password Solution | An Introduction

      What is LAPS - Local Administrator Password Solution? Local administrators logging on to computers in the network don't have to do so without the domain credentials. This can make password management quite tricky and can greatly increase the risk of ...
    • How to Remove Users from Local Administrator Group

      Removing Users From Local Administrators Group using GPO End users who are members of a Windows local administrators group will have excessive amount of privileges such as the ability to install and run programs, reset passwords, disable users, ...
    • PowerShell Remoting: Accessing Remote Computers with Precision

      In today's interconnected IT environments, managing remote computers is an essential task for system administrators. PowerShell Remoting, a powerful feature of Windows PowerShell, allows administrators to access and control remote machines ...
    • How to Update GPOs on Remote Computers

      Updating GPOs On Remote Computers Group Policy Objects can be added or modified by the administrator according to the requirements of the organization. Generally, the time taken for a new Group Policy Object (GPO) to be applied is between 90 and 120 ...
    • How to block remote network access for local user accounts in Windows

      Introduction Local user accounts accessing other computers in the Active Directory (AD) network remotely may cause huge problems due to the security risk associated with the access privilege. The most commonly cited example is that if multiple user ...