LAPS: Part 2 Installation/Configuration

This is part two of a series about Microsoft LAPS. For part one, go here: LAPS: Part 1 – Introduction – (windowsmanagementexperts.com)

In this part, we will go over the installation and configuration of LAPS. We extend the AD Schema to support LAPS, then we will import the Group Policy ADMX file and go over the settings. Finally, we will register the required DLL on a client machine.

To start, install the LAPS MSI with these options:

Capture

AD Schema

I recommend preforming this operation from a domain controller.

The AD Schema is extended via the PowerShell module. You must be in the schema admin group to extend the AD schema. First, open PowerShell and load the module:

Capture

Next, run the schema extension cmdlet. Make sure that you have schema manager installed (it’s part the AD LDS tools and snap-ins).

Capture

Now you have your attributes required for LAPS.

GPO Template

If you have not done so, copy the ADMX and ADML file to PolicyDefinitions folder for your domain. This will allow the GPOs to be modified from any machine with the GPO editor. You’re looking for the files AdmPwd.admx and AdmPwd.adml.

Once imported, the GPO settings are at Computer Configuration > Administrative Templates > LAPS. There are four settings:

Capture

For LAPS to work, you need to configure “Password Settings”, “Do not allow password expiration time longer than required by policy”, and “Enable local admin password management”. The fourth setting, “Name of administrator account to manage”, is totally up to you. If you enable this setting, you can use an account different then the local administrator account. More on this later.

For the password settings policy, set it to your organizations password policy. It should not be less secure then your default domain password policy. The “Password age in days” setting defines how often the password is changed.

The “Do not allow password expiration time longer than required by policy” setting should be enabled. Enabling this setting will keep passwords in line with your default domain policy.

Finally, you must enable “Enable local admin password management” for LAPS to take over password management.

“Name of administrator account to manage” Policy

One thing to consider when using this policy – if you simply rename the default administrator account and use that, do NOT configure this policy. The system detects this account based on the well-known administrator SID, not the name. If you rename the local administrator account, the SID does not change.

Enable LAPS on Clients

You have two options for the last step to enabling LAPS on clients. First, you can install the LAPS client MSI on machine with the AdmPwd GPO Extension option. This creates an entry in Programs and Features that could allow a user with administrator rights to actually uninstall it. The second option is to install the AdmPwd GPO Extension on one computer and copy the “AdmPwd.dll” file to all machines and register the dll. This file can be found in %ProgramFiles%\LAPS\CSE I recommend this option. This dll is installed with the client MSI. To register the dll, run this command:

regsvr32.exe AdmPwd.dll

Once the dll is registered, the GPO will take over and begin managing the password.

Share:

Facebook
Twitter
LinkedIn

Contact Us

=
On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=