Set Up Clients for Microsoft Local Administrator Password Solution

There are two major components to LAPS:

• Modifies the forest’s schema to include two new fields to store the password generated on the client.
• It is a Group Policy extension that runs on the client to report the new password back to Active Directory.

Implementing LAPS

To implement Microsoft’s Local Administrator Password Solution, you must first download it.

• Install the LAPS.msi corresponding with the architecture of the Operating System you’re using to extend the schema and manage the solution. These packages include:
• The Local Administrator Password Solution Group Policy Client Side Extensions
• The Local Administrator Password Solution Management Tools
• Fat Client User Interface (UI)
• PowerShell Module
• Group Policy Editor templates

Configuring Group Policy:

• If you’re using a management station, you’ll need to run one of the LAPS installers (either x86 or x64) and make sure that the GPO Editor templates are selected as part of the install.
• After, open the Group Policy Management Console (GPMC) and either edits an existing Group Policy Object (GPO) for your computers and then right-click to edit it.
• In the GPO, go to Computer Configuration > Policies > Administrative Templates > LAPS.
• Then, you’ll want to enable password management with LAPS first by setting the “Enable local admin password management” policy to Enabled.
• After that, you’ll want to enable the password settings and configure your password
• Now LAPS can detect the local Administrator account using its well-known SID even if you’ve renamed the Administrator account on any of your systems.
• If you’ve created a secondary local Administrator account and you want LAPS to manage its password, you can set the username of that account using the “Name of administrator account to manage” policy.

Installing the client:

Microsoft LAPS client comes in both x86 and x64 flavors on the Microsoft Download Center. The MSI file defaults to installing just the Group Policy bits without any additional options.

Only LAPS supports Windows Vista and up for client systems and Windows Server 2003 SP1 on server systems. Support for Windows XP is not included if you still have that floating around in your environment.

Viewing passwords with the GUI:

• In ADUC, click View and then confirm that Advanced Features has a check by it. If it doesn’t, clicking it will enable the Advanced Features.
• Then, search the computer, double-click it, and then click the Attribute Editor
• If the Attribute Editor tab is missing, either you haven’t enabled the Advanced Features.
• Scroll down until you find the ms-Mcs-AdmPwd attribute to view the password.
• Now the “Fat client UI” will be installed on your management station and the actual installed application is called LAPS UI and can be found on the Start screen.
• Enter the full name of the computer and then clicking the Search button will display the current Administrator password.

Viewing passwords with PowerShell:

• Load the AdmPwd.PS module and then use the Get-AdmPwdPassword
• If you need to force the password to change, you can use the Reset-AdmPwdPassword cmdlet to force an immediate change to the password.