Beruflich Dokumente
Kultur Dokumente
A common scenario, in organizations of all sizes, is all workstations sharing a common local
administrator account password. The help desk uses this local administrator password when
needing to do something on a computer that requires administrative rights. Occasionally this
password has been given out to normal users for various reasons.
Now that the local administrator account is going to rarely be used, it would be nice to be able to
change that password, so anyone who previously had known it can no longer use it. This is
where Microsoft’s Local Administrator Password Solution (LAPS) comes into play. LAPS is
a solution developed by Microsoft to handle the management of the local administrative accounts
on domain joined computers. Any device that LAPS is deployed to is able to randomize the local
administrator password, store that password in Active Directory, and then change that password
on a set schedule.
The instructions below are part 1 of a 2-part series and will cover the process of configuring
active directory to support LAPS. The sections marked as (Required) are necessary to
implement LAPS functionality. The sections marked as (Optional) are not necessary, but can
add additional value or functionality to the implementation.
1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Schema Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS
4. After extending the schema, there will be two new attributes visible on the properties of the
computer objects in AD
a. ms-Mcs-AdmPwd – This attribute stores the local administrator password
b. ms-Mcs-AdmPwdExpirationTime – This attribute stores the password expiration time
(Required) Configure Active Directory Computer
Permissions
By default, computers will only be able to read the AdmPwd and AdmPwdExpirationTime
attributes. For LAPS to work, computers need to be able to write to both attributes. The below
steps will grant write permission to both attributes for the SELF account, which will then allow
computer objects to update their own password and expiration time attributes.
1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Domain Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS
3. Run the command to grant write permission to the SELF account. Replace OU Name with the
name of the OU that contains computers that will be managed with LAPS. The permissions will
apply to any sub OUs of the OU you specify.
a. Set-AdmPwdComputerSelfPermission -Identity “OU Name”
NOTE: In the examples throughout this article, the common name of the OU is specified.
The common name of the OU can be specified if the name is unique, otherwise specify the
distinguished name of the OU.
Delegate rights to an AD user or group to view the password and reset time attributes
1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Domain Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS
3. Run the command to delegate read access to a specific user or group. Replace OU Name with
the name of the OU that the user or group will be able to read the attributes for. Replace User or
Group Name with the name of the user or group that will be delegated the read permission.
Multiple users or groups can be specified in a comma separated list.
a. Set-AdmPwdReadPasswordPermission –Identity “OU Name” –AllowedPrincipals
“User or Group Name”
1. On the computer that the LAPS management utilities are installed on, open a PowerShell prompt
with an account that has Domain Admin rights
2. Run the command to import the LAPS PowerShell module
a. Import-Module AdmPwd.PS
3. Run the command to view the permissions on a specific OU. Replace OU Name with the name
of the OU the command will run against.
a. Find-AdmPwdExtendedRights –Identity “OU Name”
To make sure any of these extra users or groups cannot view the password or reset time
attributes, follow these steps
1. Open Active Directory Users and Computers as an account with Domain Admin rights
2. Right click on the OU in question and select Properties
3. Click on the Security tab
4. Click Advanced
5. Select the user or group to modify permissions for
6. Click Edit
7. Uncheck the All extended rights box
At this point, active directory has been configured to support LAPS, computer objects have been
given permission to update their password attributes, and the appropriate users have been
delegated rights to read and reset the passwords. Part 2 of this series will cover the creation and
configuration of the group policy object needed to enable LAPS on devices.