How to Implement Local Administrator Password Solution (LAPS) on Windows

Overview

LAPS or Local Administrator Password Management is a good solution for local administrator account and password management.

Use-Case:
-We recently had an issue with not being able to login as local administrator on a restored backup of a server in Veeam because we did not know the password for the local admin account.
-This exposed the issue that we need centralized management of Local Administrator Accounts and Passwords.
Action Plan

Basic steps can be broken down into 7 steps:

1. Download LAPS.
2. Extend AD Schema
3. Install LAPS Group Policy Files
4. Set Options for LAPS
5. Assign Permissions
6. Push Group Policy to Appropriate OU’s
7. Validation of Installation and Configuration

1. Preparations

  1. Make a full backup of Active Directory
  2. Download LAPS
    https://www.microsoft.com/en-us/download/details.aspx?id=46899

2. Extend AD Schema (requires Schema Admins membership)

Import-module AdmPwd.PS
Update-AdmPwdADSchema

3. Install LAPS Group Policy Files
– *.admx goes into the “windows\policydefintions” folder
– *.adml goes into the “\windows\policydefinitions\[language]” folder

4. Set options
– GPMC > Computer configuration > Policies > Administrative Templates > LAPS
– Password settings — set frequency and complexity (use default)
– Name of administrator account to manage — Rename administrator account to something non-default such as “localadmin”
– Do not allow password expiration time longer than required by policy — set to TRUE to avoid disconnected computers to change password and be out of sync with AD
– Enable local password management — must be set to TRUE to activate policy

5. Assign Permissions
– Create 2 security groups: “LAPS_ReadOnly” and “LAPS_Admins”
– Create a test OU named “Test_OU” and move some test machines into this container
– Apply GP:

Set-AdmPwdComputerSelfPermission -OrgUnit "Test_OU"

– Set permission:

Set-AdmPwdReadPasswordPermission -OrgUnit "Test_OU" -AllowedPrincipals "LAPS_ReadOnly"
Set-AdmPwdResetPasswordPermission -OrgUnit "Test_OU" -AllowedPrincipals "LAPS_Admins"

6. Push GP to Appropriate OUs
– Script content:

# This script installs the LAPS library onto the local machine
$admpwdFile="\\FileSherver01\Software\LAPS\admpwd.dll"
copy $admpwdFile "%windir%\system32"
regsvr32.exe AdmPwd.dll
gpupdate /force

– Apply this logon script to the correct OU

7. Validation
– Install the LAPS GUI onto a workstation > query a machine within the affected OU > verify that its local admin password has been set

Impacts Assessment:

Users Impacts: None shall be perceived

Systems Internal Impacts:

New Objects:
– 2 new security groups are added: “LAPS_ReadOnly” and “LAPS_Admins”
– 1 new OU named “Test_OU” is created
– 1 new Group Policy named “LAPS” will be made

Logon Script named “admpwdFile.bat” will be applied toward computers located inside the “TEST_OU”:
# This script installs the LAPS library onto the local machine
$admpwdFile=”\\FileSherver01\Software\LAPS\admpwd.dll”
copy $admpwdFile “%windir%\system32”
regsvr32.exe AdmPwd.dll
gpupdate /force

Effects of “Update-AdmPwdADSchema” command:
– AD Schema will be extended 2 new custom attributes:
— cn=ms-Mcs-AdmPwd, CN=Schema,CN=configuration,DC=intranet,DC=kimconnect,DC=com
— cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=configuration,DC=intranet,DC=kimconnect,DC=com
– This 1 existing Schema Class will be modified
— cn=computer,CN=Schema,CN=Configuration,DC=intranet,DC=kimconnect,DC=com
– Test machines and subsequent machines with GP applied will have this DLL added to local paths of C:\Windows\System32 — file name: admpwd.dll

Risks Analysis:

This is a MEDIUM risk item due to these considerations
– Custom attribute of AD Schema is intended to be permanent; normally, a change to AD schema is a “High” risk concern. Since we are utilizing a Microsoft product to extend an existing Microsoft product, perfect integration is expected. Therefore the risk should be downgraded to “Medium.”
– Domain Admins will have access to the local passwords of all targeted machines. Hence, further AAA mitigation techniques should follow. Hence, this sub-item indicates a “Medium” level consideration.
– No user-perceivable effects. Hence, this sub-item indicates “Low” risk.

Validation:

– “Step 7” in the execution plan provides validation on whether LAPS has been successfully applied toward test Windows machines inside the “TEST_OU”

Roll-back Plan:

-Perform authoritative restore on PDC

Leave a Reply

Your email address will not be published. Required fields are marked *