The Microsoft Local Administrator Password Solution (LAPS) provides management of local account passwords of domain joined computers. This article shows how to deploy and configure LPAS.
A. Microsoft LAPS Prerequisites
To install Microsoft LAPS, we need at least one management computer, some client workstations, Microsoft Active Directory. Microsoft LAPS also needs a specific Group Policy client-side extension (CSE) installed in each computer to do all managements task.
The management computer could be Domain Controller or any joined domain computer.
B. Installing Microsoft LAPS
1. Download Microsoft LAPS Package by going to by this link: https://www.microsoft.com/en-us/download/details.aspx?id=46899
2. Check the LAPS file you want to download, for example, LAPS.x64.msi file.
3. Double on the downloaded LAPS.x64.msi and click run to continue.
4. Click on Next in Welcome to the Local Administrator Password Solution Setup Wizard.
5. Check I accept the terms in the License Agreement and click on Next.
6. in Custom Setup,
right click on Management Tools, and select Entire Features will be installed on local hard drive. Then Next.
7. Click Install.
8. Click Yes to continue.
9. Click on Finish to complete LAPS setup.
C. Update Active Directory Schema
We need to extend AD schema so that the LAPS can use two new attributes in computer objects.
1. ms-Mcs-AdmPwd – Save the administrator password in clear text
2. ms-Mcs-AdmPwdExpirationTime – Save the timestamp of password expiration.
1. Launch PowerShell run as Administrator
2. Run this PowerShell command:
Import-module AdmPwd.PS
to import module.
3. Now, run Update-AdmPwdADSchema to update the schema.
4. After schema update, we can see these two new attributes by going to the computer’s property: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime
During the password update process, the computer object itself should have permission to write values to ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes. To do that we need to grant permissions to SELF built-in account.
To do that,
