Configuring LAPS (Part 2)- Configuring and Deploying Group Policy

This post is the second part of a two-part series on configuring and deploying the Microsoft Local Administrator Password Solution (LAPS). The first post covered the steps needed to configure Active Directory to support LAPS. That post can be found here . This post will cover the steps needed to enable the LAPS functionally on devices.

(Required) Deploy the LAPS Group Policy Client-Side Extension

LAPS is enabled and configured on devices using Group Policy. However, devices do not natively know about the LAPS settings. To have the Group Policy apply correctly, a Group Policy Client-Side Extension (CSE) needs to first be deployed to devices. There are many ways to get the CSE installed on devices. This example will cover how to deploy the CSE using Microsoft Configuration Manager.

Create an Application to Deploy LAPS

  1. Download the LAPS Installer (This example will cover creating an application to deploy the 64-bit LAPS Install)
    1. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899
  2. Copy the msi to the network share that acts as the Configuration Manager source directory
  3. Open the Configuration Manager Admin Console and navigate to Software Library > Application Management > Applications
  4. Right click on Applications and select Create Application
  5. On the Create Application Wizard window, click the Browse button to select the MSI file that was just copied to the network and then click Next
  6. On the Import Information screen, click Next
  7. On the General Information screen
    1. Optionally, change the name of the application
    2. Verify the installation program command line looks like this
      1. Msiexec /I "LAPSx64.msi" /qn /norestart
    3. In the Install Behavior drop down menu, ensure Install for System is selected
  8. On the Summary screen, click Next
  9. On the Completion screen, click Close

Distribute the LAPS Application to Distribution Point(s)

  1. In the Configuration Manager Admin Console, navigate to Software Library > Application Management > Applications
  2. Right click on the LAPS application that was created in the previous section and select Distribute Content
  3. On the Distribute Content Wizard window, click Next
  4. On the Content screen, click Next
  5. On the Content Distribution screen, click the Add button, then select either a distribution point or a distribution point group to distribute the content to, then click Next
  6. On the Summary screen, click Next
  7. On the Completion screen, click Close

Deploy the LAPS Application

  1. In the Configuration Manager Admin Console, navigate to Software Library > Application Management > Applications
  2. Right click on the LAPS application that was created in the previous section and select Deploy
  3. On the Deploy Software Wizard window, use the Browse button to select a collection of devices to deploy this application to, then click Next
  4. On the Content screen, click Next
  5. On the Deployment Settings screen, choose weather you want to application to be Available (Optional to install through the Software Center) or Required (Automatically installed), then click Next
  6. On the Scheduling screen, select when the application will be installed on devices, then click Next
  7. On the User Experience screen, select how the application should appear in the software center and weather or not the application should respect any existing maintenance windows, then click Next
  8. On the Alerts screen, optionally configure deployment alerting, then click Next
  9. On the Summary screen, click Next
  10. On the Completion screen, click Close

(Required) Configure Group Policy to Deploy LAPS Settings

Group Policy is used to configure LAPS settings and to enable the LAPS functionally on targeted devices. The LAPS settings can be added to an existing group policy object, however in this example, a new group policy object will be created to deploy the settings.

Install the LAPS Group Policy Administrative Template

Group policy does not natively know about the LAPS settings. The settings need to be pulled from an administrative template.

  1. Log onto the computer where the LAPS management utilities were installed
    1. If the management utilities need to be re-installed, see the first section of the first part of this series for instructions on doing so (LINK)
  2. Open a file explorer window and navigate to C:\Windows\PolicyDefinitions
  3. Copy the admx file found in the root of the directory and the AdmPwd.adml file found in the en-US subdirectory
  4. Paste the files in the group policy central store
    1. The group policy central store is located at \\domain.fqdn\SYSVOL\domain.fqdn\Policies\PolicyDefinitions
    2. If no group policy central store exists, see this TechNet page for instructions on creating one – https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra

Create a Group Policy Object to Deploy LAPS Settings

  1. Open the Group Policy Management Console with an account that has rights to create and deploy group policy objects in the domain
  2. Right click on the Group Policy Objects folder and select New
  3. Name the policy and click OK (In this example the policy is named LAPS)
  4. Right click on the newly created policy and select Edit
  5. In the Group Policy Management Editor window, expand Computer Configuration > Policies > Administrative Templates > LAPS
  6. There are 4 settings available
    1. Enable local admin password management – This setting is required for LAPS to work. This setting tells the device to randomize its local administrator password
    2. Password Settings – This setting is required for LAPS to work. This setting tells the device what complexity requirements the random password should adhere to. It also tells the device how long the password should be and how often the password should change.
    3. Do not allow password expiration time longer than required by policy – This setting is optional but recommended. If this setting is not set, the password expiration time on a device could manually be set to be longer than the expiration period specified in the Password Settings setting.
    4. Name of administrator account to manage – This setting is optional. By default, LAPS will manage the password of the built-in local administrator account. If this setting is enabled, an account other than the built-in administrator account can be managed.
  7. Once the settings have been configured, close the group policy management editor window
  8. In the group policy management console, right click on the OU that the policy will be applied to and select Link an Existing GPO
  9. Select the group policy object that was just created and click OK

Looking up and Resetting Passwords

Now that AD has been configured, the Group Policy Client-Side Extension has been deployed, and the Group Policy Object has been created, LAPS should be functioning on devices. There are two ways to look up passwords for devices, from the properties of the computer object in Active Directory or using the LAPS GUI utility.

Password Lookup in AD

  1. Open the Active Directory Users and Computers console
  2. Navigate to a computer object that has a random password set by LAPS
  3. Right click on the computer object and select Properties
  4. Select the Attribute Editor tab
  5. Find the ms-Mcs-AdmPwd attribute

Password Lookup Using the LAPS GUI Utility

  1. Download the LAPS Installer
    1. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899
  2. Run the installer, and at the Custom Setup screen, ensure the Fat Client UI option is selected (This will install the LAPS GUI utility)
  3. Once the install has completed, open the Start menu and select the LAPS UI application
  4. In the Window that appears, type the computer name of a device that has a random password set by LAPS, then click Search
  5. The password for a given device can be reset by manually entering a new time in the New expiration time box and then clicking the Set button

Password Reset Using PowerShell

LAPS passwords can also be reset using a PowerShell cmdlet. Here is an example of what a password reset command would look like

Reset-AdmPwdPassword -ComputerName NameOfComputer -WhenEffective “11.30.2017 17:00

Previous blog posts:
– Part 1: Configuring LAPS- Configuring Active Directory
– Email notification for security changes in ConfigMgr