As any seasoned administrator can tell you one of the trickiest task in our job is managing the Local Administrator Password of the various machines deployed in the domain.
In my career I’ve seen multiple solutions implemented, scripts, third-party tools or even in-house developed solutions and in the past I’ve developed my good share of scripts to take care of this until Microsoft released Group Policy Preferences which filled, even if partially, this gap until MS14-025 was released effectively disabling the ability to use GPO Preferences to Manage Local Administrator Password.
Luckily enough couple of days ago Microsoft released a supported and secure solution named Local Administrator Password Solutions (LAPS) which makes managing Local Administrator Password easy and fast to deploy.
Local Administrator Password via LAPS
Local Administrator Password Solution (LAPS) is a Group Policy Client Side Extension (GPCSE) that can be downloaded from here which once installed will manage Local Administrator Password on domain joined computers and ensure that each instance is unique per computer, passwords are randomized and different for every computer, the great benefit of this solution is that it compatible back to Windows 2003 and does not require any third-party software installation or management.
Once you’ve downloaded LAPS just launch it to start the installation, for illustration purposes I’ve selected all components in my lab but the only required component is the one highlighted in yellow:
To deploy LAPS to the computers that will need to have Local Administrator Password managed you can either deploy the MSI file or alternatively simply register the AdmPwd.dll file, you can read my article about how to deploy LAPS via ConfigMgr here and below you can see a reference for MSI Deployment:
# Full MSI File installation msiexec /i \servershareLAPS.x64.msi /quiet msiexec /i \servershareLAPS.x64.msi /quiet # DLL only registration regsvr32.exe AdmPwd.dll
The final step to implement LAPS for Local Administrator Password Management is to extend the AD schema with the two additional attributes ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime to do so import LAPS PowerShell modules and use launch the commands below:
# Run in an Administrative PowerShell Import-module AdmPwd.PS # Extend the schema Update-AdmPwdADSchema
Once schema has been extended LAPS GPO can be configured, its settings can be found under Computer Settings/Administrative Templates/LAPS:
While most settings are self-explanatory it is important to note that the Name of Administrator account to manage does not need to be configured if you intend only to manage the built-in Administrator account as it will be automatically recognized via its well-known SID, the last step before the client will be able to pick necessary changes for LAPS to work is adding machine rights which can easily be done with PowerShell with the following command which can be easily scripted:
# Add LAPS machine rights repeat for any additional OU Set-AdmPwdComputerSelfPermission -OrgUnit
Once all components have been configured and policies refreshed on the client computer you can see the password among the Computer’s attributes :
As you can see the password is stored in clear text, who can see or manage it can be configured, and can also be managed/displayed via either PowerShell or what is called Fat GUI:
# Display Local Administrator Password Settings Get-AdmPwdPassword -ComputerName
LAPS has many other functions that make it a cost-effective and easy to manage solution to manage Local Users passwords both for Administrator and other user defined accounts.