If you’re like most IT shops, sooner or later you’ll be required to configure a Windows workstation for an employee. In most cases, the workstation should be added to a Microsoft Windows Domain. One of the primary reasons for adding a Windows workstation to a Windows Domain is because it provides a method to centrally manage the Computer Object. This includes a variety of Group Policy Objects (GPOs) which provides a method to enforce any policies to the Windows Workstation via Computer or User Configuration.
** Please keep in mind, this scenario was tested in a test lab environment. Please proceed with caution if you decide to implement this solution. This guide was created for informational purposes. **
LAPS (Local Administrator Password Solutions) can be downloaded from this location, which includes documentation (please review the documentation before implementing this solution in your environment). I will now cover the steps to install and configure the application\solution.
- Once the Windows installer for LAPS has been downloaded, please proceed with the installation by double clicking the LAPS.x64 Windows Installer and then select Run to proceed.
- Tick the box to accept the terms of the license agreement and then select Next to proceed. At the Custom Setup window, please select the arrow pointing down next to Management Tools and then select the option to install the Entire feature will be installed on local hard drive. Click Install and then Finish when the installation is complete.
Once the LAPS software has been installed successfully, log into your Domain Controller and create a new shared folder (for example, LAPS Test) on the root of the C drive. Next, right-click the LAPS Test folder, select Properties, then select the Sharing tab, and then click on the Advanced Sharing button.
Tick the Share This Folder option and include a $ following the Share Name. Next, select the Permissions button and then select the Add button on the Permissions Window.
At the Select Users, Computers, Service Account, or Groups window, search for Domain Computers and then select OK. On the following window, select Apply and then OK. Select the Security tab, then select Edit followed by Add. Search for Domain Computers and then select OK. Followed by Apply, OK, and then Close.
Then Copy and Paste the Laps installer file into the folder that was just created.
Launch Group Policy Management on your domain controller and create a new GPO (Group Policy Object). Provide the new GPO a name (for example, Deploy-LAPS) and then select OK. Right-click Deploy-LAPS and select Edit.
Navigate to Computer Configuration\Policies\Software Settings. Right-click Software Installation under Software Settings and select New followed by Package. Navigate to the location to where the installer was saved. Select it, then Open, followed by Advanced and then OK.
Double-click the installer that was just created and then select the Security tab. Search for Domain Computers and then select OK. Followed by Apply, OK, and then Close.
Log into your test\client computer and search for Local Administrator Password Solution in Programs and Features. If the program is not listed, please open a command prompt and type gpupdate \force. Once the command completes successfully, please restart the test\client computer and Local Administrator Password Solution should now be listed in Programs and Features.
Once the above has been confirmed, please log back into your Domain Controller to extend the Active Directory Schema. Once you’ve logged in, please open Windows PowerShell and run the following commands:
- Import-module AdmPwd.PS
This solution will now be deployed to my Lab Computers OU found in my test environment.
In order for this to be done correctly, I must grant this computer the rights to the Active Directory options and this is done by invoking the following Windows PowerShell command.
- Set-AdmPwdComputerSelfPermission -OrgUnit ‘Lab Computers’
The following Windows PowerShell command will provide who has permissions on the OU listed in the command to view the local admin passwords.
- Find-AdmPwdExtendedRights -Identity ‘Lab Computers’
The following Windows PowerShell command will set the Admin Password permissions on the ‘Lab Computers’ OU and the AD group must be specified as well.
- Set-AdmPwdReadPasswordPermission -OrgUnit ‘Lab Computers’ -AllowedPrincipals Users
Please open Group Policy Management and create a new GPO (for example, LAPS-Policy) and link it to the intended Computers OU (in my example, it’s linked to the Lab Computers OU) it should be applied to. This will deploy the settings for the local administrator settings via LAPS.
Once the GPO has been created, please right-click the GPO and select EDIT. The navigate to Computer Configuration\Policies\Administrative Templates\LAPS. Double click LAPS and enable the following settings:
- Password Settings (once enabled, you have the option to include specific password complexity)
- Name of Administrator Account to Manage (you specify the local admin account name you’d like this policy to apply to)
- Enable Local Admin Password Management (this policy only requires the administrator to set it to ‘Enabled‘)
To invoke the changes to the above GPO, I recommend that you open a command prompt on your domain controller and client machine and type gpupdate /force (you could also wait for your domain controller to sync) but kicking off the command manually triggers the GPO to apply immediately.
To create a new password for the local admin account on the client workstation, we have two options to do so (Windows PowerShell or the LAPS client found on the domain controller). The path for the client is C:\Program Files\LAPS.
For this blog post, I used the client to invoke the password change. To do so, launch the LAPS client, enter the client name of the workstation you’d like to change the local admin password for (in this example, I’m testing with VBR). After you have entered the name of the client workstation, please select Search. The new password will be generated and it is based on the password complexity characteristics that were applied when the LAPS-Policy GPO was created.
Using a Remote Desktop session (type mstsc in the search box) to my test client (VBR), I successfully logged into it using the local admin account and the password that was created using the LAPS client.
If I have missed anything or if you have any suggestions, please let me know.