Centrally Manage Local Administrator Password

Password

As any seasoned administrator can tell you one of the trickiest task in our job is managing the Local Administrator Password of the various machines deployed in the domain.

In my career I’ve seen multiple solutions implemented, scripts, third-party tools or even in-house developed solutions and in the past I’ve developed my good share of scripts to take care of this until Microsoft released Group Policy Preferences which filled, even if partially, this gap until  MS14-025 was released effectively disabling the ability to use GPO Preferences to Manage Local Administrator Password.

Luckily enough couple of days ago Microsoft released a supported and secure solution named Local Administrator Password Solutions (LAPS) which makes managing Local Administrator Password easy and fast to deploy.

 Local Administrator Password via LAPS

Local Administrator Password Solution (LAPS) is a Group Policy Client Side Extension (GPCSE) that can be downloaded from here which once installed will manage Local Administrator Password on domain joined computers and ensure that each instance is unique per computer, passwords are randomized and different for every computer, the great benefit of this solution is that it compatible back to Windows 2003 and does not require any third-party software installation or management.

Once you’ve downloaded LAPS just launch it to start the installation, for illustration purposes I’ve selected all components in my lab but the only required component is the one highlighted in yellow:

LAPS Installation

To deploy LAPS to the computers that will need to have Local Administrator Password managed you can either deploy the MSI file or alternatively simply register the AdmPwd.dll file, you can read my article about how to deploy LAPS via ConfigMgr here and below you can see a reference for MSI Deployment:

# Full MSI File installation 

msiexec /i \servershareLAPS.x64.msi /quiet
msiexec /i \servershareLAPS.x64.msi /quiet

# DLL only registration
regsvr32.exe AdmPwd.dll

The final step to implement LAPS for Local Administrator Password Management is to extend the AD schema with the two additional attributes ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime to do so import LAPS PowerShell modules and use launch the commands below:

# Run in an Administrative PowerShell
Import-module AdmPwd.PS

# Extend the schema
Update-AdmPwdADSchema

LAPS Modify Schema

Once schema has been extended LAPS GPO can be configured, its settings can be found under Computer Settings/Administrative Templates/LAPS:

LAPS GPO

While most settings are self-explanatory it is important to note that the Name of Administrator account to manage does not need to be configured if you intend only to manage the built-in Administrator account as it will be automatically recognized via its well-known SID, the last step before the client will be able to pick necessary changes for LAPS to work is adding machine rights which can easily be done with PowerShell with the following command which can be easily scripted:

# Add LAPS machine rights repeat for any additional OU

Set-AdmPwdComputerSelfPermission -OrgUnit

LAPS Machine Permissions

Once all components have been configured and policies refreshed on the client computer you can see the password among the Computer’s attributes :

LAPS Password Expiration

As you can see the password is stored in clear text, who can see or manage it can be configured, and can also be managed/displayed via either PowerShell or what is called Fat GUI:

# Display Local Administrator Password Settings

Get-AdmPwdPassword -ComputerName

LAPS Expiration

LAPS Gui

LAPS has many other functions that make it a cost-effective and easy to manage solution to manage Local Users passwords both for Administrator and other user defined accounts.

Advertisements

2 thoughts on “Centrally Manage Local Administrator Password

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s