In this Tutorial, I cover the Installation and deployment of Microsoft LAPS on a Windows Domain. Giving you an Illustrated step by step guide through the whole process.
LAPS stands for Local Administrator Password Solution and provides management of Local administrator passwords of any domain joined Windows Client.
Once installed, the Local Administrator password becomes stored centrally in Active Directory. In-turn, only allowing domain admins or specified users to read or reset these local administrator passwords.
In corporate environments its common to have windows domain joined PCs with the same local Administrator password across the network. A hacker with knowledge of this, can use this to there advantage and move laterally around the network until they either find a client less secure or where a domain admin has logged in.
By generating a random local Administrator passwords for each device which automatically changes after a specified amount of time, Microsoft LAPS resolves this. Meaning that a Hacker would only have access to the compromised account for a short while before the password is automatically Reset.
LAPS can also be beneficial if a client loses connection with the domain, allowing an administrator to quickly find the local administrator password for that device in Active Directory.
1# Downloading Microsoft Laps
Lets start by downloading Microsoft Laps on to your domain controller.
Download LAPS from here: https://www.microsoft.com/en-us/download/details.aspx?id=46899
Depending on your client machines download either the LAPS.x64.msi or LAPS.x86,msi for 32Bit Operating systems or if you have a mixture download both.
As i only have 64 Bit Operating systems in my lab so i only need to download the LAPSx64.msi.
2# Installing Microsoft LAPS
- On the Domain Controller run the LAPS msi file you just downloaded.
- Click next to continue with the installation.
- Tick the box to accept the License Agreement and click Next
- Select all the management Tools to be installed and click next
- Click Install
- LAPS is now installed click Finish to complete the install.
3# Extend the Active Directory Schema
Now we need to extend the Active Directory Schema with two new values added to computer objects.
- ms-MES-AdmPwd – This stores the Password in clear text
- ms-MES-AdmPwdExpirationTime – Stores the time when the password will reset.
Start by opening Powershell with Administrator rights.
- Import the AdmPwd.ps Powershell module into Powershell
- Update the Active Directory Schema by typing Update-AdmPwdADSchema
First, we need to add write permissions to the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-Adm-pwd value in the computer objects we just added to the Active Directory schema. This updates the SELF account and is required so the client can update the password expiration timestamp of its local administrator password.
- Run Set-AdmPwdComputerSelfPermission -OrgUnit adding the name of the OU to delegate permission.
Secondly, we need to find out which users or Groups have extended rights over the OU that your computer objects is stored in. Any user or group that has extended rights displayed here will be allowed to read the password value of the ms-Mcs-AdmPwd.
- Type Find-AdmPwdExtendedRights -Identity “Then the name of the OU your computer objects are stored. In my case this is “ManagedDevices”
You can also add Specific users or groups access to read the local Administrator Passwords by running the Set-AdmPwdReadPasswordPermission command
- type Set-AdmPwdReadPasswordPermission -OrgUnit , adding the name of the OU then -AllowedPrincipals with the name of the User or Group
If you check the Extended rights again with the Find-AdmPwdExtendedRights command you can now see DeathStarAdmins are listed.
You need to set the permissions for every OU that contains Computer objects in Active Directory which you would like LAPS to manage.
5# Configure a LAPS Group Policy Objects
We now need to Configure a LAPS Group Policy which will be pushed out to all our clients defining the LAPS configuration information.
- Open Group Policy Management then right click Group Policy Object and select create –> New GPO.
- Name this New Group Policy something memorable like Laps Policy and click Ok.
- Right Click Your new GPO and click Edit.
- The LAPS Policys are found under Computer Configuration –> Policies –>Admininistrative Templates –> LAPS.
The LAPS Group policy Object gives you 4 options you can Enable.
- Password Settings – This allows you to set password complexity, Password length and the age of the password which basically is how long before the password resets.
- Name of Administrator Account to Manage – Enable this setting if you are using a custom local administrator account. However, Do not Enable if you are using the default local administrator account as this is auto-detected by its default SID, even when renamed.
- Do not allow password expiration time longer than required by policy – Enable this setting to override any password expiration time set by clients local administrator which is longer then you set in the password policy.
- Enable Local Admin password Management – This is the On / Off switch for the Local Password Managment for LAPS.
6# Deploy Microsoft LAPS to the Clients PCs
Deploying LAPS to the Clients is a very straight forward process, however as we are already in the Laps Policy Group policy object, we might as well just add the Software into this policy. I will document some other options for client Deployment at the end of the tutorial.
- Create a share On a server which is accessible by all the Clients you want to manage with LAPS. Copy the LAPSx64.msi or LAPS-x86.msi to this folder
- In the Laps policy Group policy we just created, right click software installation and select New –> Package and navigate to your network share that contains the LAPS Msi files.
- Link the policy to any Organisation unit that contains the Computer objects you want to manage with LAPS.
7# Silent Install
If you don’t want to use Group policy to roll LAPS out to the clients, you can use these commands directly from the command line or in a logon script.
- msiexec/q /i <file location>\LAPS.x64.msi Deploying LAPS to 64 bit clients.
- msiexec /q /i <file location>\LAPS.x86.msi Deploying LAPS to 32 bit Clients
You can add also deploy a custom local administrator account during setup by adding CUSTOMADMINNAME to the command above.
- msiexec/q /i <file location>\LAPS.x64.msi CUSTOMADMINNAME=SecurityTutorialsAdmin
Waiting for Group Policy on the client to update can be a right pain. However, we can speed up the whole process by running gpupdate /force from the clients command prompt.
- Once the computer group policy updates sucessfully you will get a error saying you need to reboot. Type Y and hit enter and the client will reboot.
- If everything has installed correctly you should see Local Administrator Password Solution installed on the client.
9# Checking the Local Administrator Password
The Local Administrator password should now be showing in the properties of the clients computer object in Active Directory under the attribute of ms-MCS-AdmPwd.
- Right click the computer object –> properties –> Attribute Editor. Find the ms-MCS-AdmPwd Attribute. This value is the local Administrator password for that client.
- You can also check the LAPS password with Powershell by importing the AdmPwd.PS module, then running Get-AdmPwdPPassword -Computername and then name of the client device.
- If you enabled the LAPS UI at the beginning you should also be able to check the passwords in the LAPS UI program found in your start menu.
10# Final Thoughts
Let me know in the comments below, what your experience is with installing LAPS in your environment!!
- Shows password Expires time but no password: reset local admin password manually.
- Default LAPS username: LAPS uses the default administrators SID (500) to identify the account, more over will still recognise the account if its renamed.
- LAPS password not working: Check step 8# and gpupdate the client.
- How often does LAPS change Password: Step 5# Covers the group policy setting for how often the password changes.
- Identifying if LAPS is Installed: Use the command below to check for the presence of the Admpwd.dll.
Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'