How to Configure Group Policy for LAPS
The post details the steps to configure Group Policy for LAPS. This is the third and final post that covers the group policy configuration of LAPS.
In this post we will modify some of the group policy settings related to LAPS. We know that LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL. Hence only eligible users can read it or request its reset.
In my previous posts, we have covered two important topics. First one is how to install and deploy Microsoft LAPS software and second how to configure Active Directory for LAPS. You can access both the posts by clicking on the below links.
How to Configure Group Policy for LAPS
To configure group policy for LAPS
- Launch the Group Policy Management console.
- Right click the OU where your domain computers are present.
- Click Create a GPO in this domain and link it here.
- Specify a group policy name such as “LAPS” and click OK.
- In the next step edit the GPO.
The LAPS settings are located under Computer Configuration > Administrative Templates > LAPS. You can see four settings present. We will configure the ones that are required.
Right click the policy setting Enable local admin password management and click properties. As we want to manage the local administrator password, we will enable the policy setting. Click OK.
LAPS Password Settings
Next edit the password settings policy. By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days.
You can change the values to suit your needs by editing a Group Policy. You can change the individual password settings to fit your needs. Click OK.
Administrator account name – If you have decided to manage custom local Administrator account, you must specify its name in Group Policy. I haven’t configured this policy setting.
Protection against too long planned time for password reset – If you do not want to allow setting planning password expiration of admin account for longer time than maximum password age, you can do it in GPO.
If you want to view the password settings of a computer using the powershell, Get-AdmPwdPassword will help you.
- Import-Module AdmPwd.PS
- Get-AdmPwdPassword -Computername “name of computer“
What happens if a user who hasn’t been granted rights to see the local Administrators password tries to access it?. If they were to gain access to the GUI interface the password won’t be displayed.
For GUI users there is a cool way to find the password settings. Run the AdmPwd.UI file as administrator. This file is located under C:\Program Files\LAPS folder.
In the LAPS UI window, enter the computer name and click Search. In addition to the password, the expiry information is also visible.
Peform gpupdate on the client machines. Now look at the properties of the computer object and see the new settings. The password is visible (plain text).
When I go to add the GP, LAPS is not included in the Administrative Templates. How do I install it?
You will need to import it..
First install the LAPS Software from the Microsoft site. Next go to: C:\Windows\PolicyDefinitions and copy:
AdmPWD.admx
Paste it in: C:\Windows\SysVol\domain\policies\PolicyDefinitions
next copy AdmPWD.ADML from the C:\Windows\PolicyDefinitions\en-us
Into: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US
Refresh your Group Policy console and reopen the GPO you will see it listed under the Computer configuration\Administrative templates\LAPS
Hi Prajwal
Very insightful guide. Thank you.
I am having ONE major problem after implementing this in my work environment.
The ONE attribute ms-Mcs-AdmPwdExpirationTime registers changes when i check against the computer attribute, HOWEVER, the ms-Mcs-AdmPwd does not, and the LAPS GUI reports back that the password has been reset successfuly, when it has not?
Any ideas pls?
Would really appreciate your help.
Thank you
Kind Regards
If computer is out of network for very long time and rarely visits corporate network, how the password is getting changed in that case.
It is not the best way to apply GPO to the domain.
Use dedicated OU for applying LAPS. I think that some servers like DCs should not be a part LAPS clients. Of course another reason is because you need test before you apply LAPS to entire organization – and apply GPO to entire domain is wrong once again. Be careful!
I thought this exactly so I created my policies where my computers, laptops, tablets etc. are stored – nowhere near any of my servers.
Hi Prajwal, I tried this and completed the setups as per your guides, when I lookup a password I do get a value but for what account will that be? Not sure I understand this very las t part, I thought it would be the local Administrator account, I set a predefined password manually but the results are different, Tried using the password from LAPS with Administrator user name and it wouldn’t log me in. Can you assist?
I am not sure if this applies but from what I gather from this it randomly resets the local admin password and you use the LAPS UI to get that password. I believe it would be the Administrator account for the local machine. I could be wrong.
Michael
Hi Prajwal, I tried this and completed the setups as per your guides, when I lookup a password I do get a value but for what account will that be? Not sure I understand this very las t part, I thought it would be the local Administrator account, I set a predefined password manually but the results are different, Tried using the password from LAPS with Administrator user name and it wouldn’t log me in. Can you assist?