Local Administrator Password Solution (LAPS)
Overview
The Local Administrator Password Solution (LAPS) is a solution created by Microsoft to address the concerns systems administrators have over the local Administrator password on the systems they manage: specifically the desire to have a unique password assigned to the local Administrator account on each system, to have that password changed on a regular basis, and to have that password escrowed in a secure manner.
The password is stored in a confidential attribute named ms-Mcs-AdmPwd. Because this is a confidential attribute, specific permissions must be held in order to be able to see the value of the attribute. By default, the only people who have the necessary permissions to see the password are Department Administrators (which are created and managed in the DeptAdminTools) and any member of a group for which the standard computer delegation has been set. We do have the ability to delegate access to the password without providing the Full Control to computer objects that is set via the standard Computer Delegation request.
The configuration of the local Administrator password is controlled using Group Policy. A Group Policy Client Side Extension is available which performs the password change and escrows it in Active Directory.
Department Usage of LAPS
The schema extension for the AUSTIN domain and addition of the ADMX to the Group Policy Central Store was completed on Friday 31 July 2015.
Prerequisites
If a Department's OU is located under austin.utexas.edu/Affiliated Units or austin.utexas.edu/Colleges and Schools, it must first be moved to austin.utexas.edu/Departments. This process involves a new departmental permissions model which is a requirement of Internal Audits and the ISO.
Deploying the new Group Policy Client Side Extension
In order for a computer's local Administrator account to be managed by LAPS, a new Group Policy Client Side Extension needs to be installed. This new CSE needs to be deployed to every computer that you manage, otherwise LAPS will not manage the local Administrator password on it.
Run the appropriate installer (LAPS.x64.msi or LAPS.x86.msi) from \\austin.utexas.edu\disk\site-licensed\LAPS. To install only the new CSE, select only the AdmPwd GPO Extension feature. By default this is the only feature selected.
This process can be automated (deployed via SCCM, for example) using the following command which will perform a silent install: msiexec /i LAPS.x64.msi /quiet
Configuring LAPS settings for your computers
You will need to create and configure a GPO to configure LAPS, and then link it within your Department's OU structure to have it applied to your computers.
The following settings are available to be configured under Computer Configuration\Policies\Administrative Templates\LAPS:
- Password Settings: Configures the complexity, length and expiration for the password LAPS will generate.
- Name of the administrator account to manage: This can be used if you have a custom local Administrator account that you want to manage the password for.
Some Departments disable the built-in local Administrator account and create a new local Administrator account, which can be provided here.
If you want to have the password for the built-in local Administrator account managed by LAPS, leave this setting set to Not Configured so the account will be managed based on its well-known SID . - Do not allow password expiration time longer than required by policy: If this setting is enabled and you have a password policy configured (via Local Security Policy or Group Policy), the password managed by LAPS will be changed to meet the requirements of the maximum password age defined in the password policy.
- Enable local admin password management: This setting must be set to Enabled in order for LAPS to manage the local administrator password.
Retrieving the Local Administrator Password from Active Directory
There are a few ways that you can retrieve the local Administrator password for a computer:
- Using PowerShell
- Ensure that you have the
- Import the ActiveDirectory module by running the following command:
Import-Module ActiveDirectory - Run the following command, replacing <CompuiterName> with the actual name of the computer:
Get-ADComputer <ComputerName> -Properties ms-Mcs-AdmPwd - If the ms-Mcs-AdmPwd attribute is not returned, then you do not have permission to see it.
- Using ADUC
- Launch ADUC.
- Ensure Advanced Features are enabled (Under the View menu, ensure Advanced Features is selected.)
- Browse to the computer in your Department OU, right-click on the computer, and select Properties.
- Select the Attribute Editor tab.
- Look for the attribute named ms-Mcs-AdmPwd.
(Do not modify the value of this attribute. Changing the value here will not result in the password for the local Administrator account on this computer updating.) - If the value for the ms-Mcs-AdmPwd attribute is <not set>, then either the password has not been set on the computer using LAPS, or you do not have permission to see it.
- Using the LAPS GUI
- Launch the LAPS GUI (from the Start menu select LAPS UI located within the LAPS folder.)
- Enter the computer name.
- Click the Search button.
- If the password field is empty, then either the password has not been set on the computer using LAPS, or you do not have permission to see it.