LAPS (Local Administration Password Solution) is a tool which provides administrators a way to periodically change a password, securely generate a unique password which is secure.
When installing the MSI ensure you target the correct user collection. If you want Laps to be available to all user accounts on the machine, deploy that to everyone. If you only want it to be available to a single user, where the installation is being performed, select Just Me.
- Go to https://www.microsoft.com/en-us/download/details.aspx?id=46899 and download the x64 MSI of Laps.
- On the DC install all the options.
On the machines you want to have this feature applied to (Staff and Student) machines install the MSI via ConfigMgr.
msiexec /i lapsx64.msi /quiet
4. Verify that Laps has installed on the DC and the client device.
5. We will now need to extend Active Directory Schema. To do this we can use powershell to complete the steps.
Open up elevated powershell and type the following;
Set-ExecutionPolicy Bypass -Force
6. Open up Active Directory Users and Computers and verify what OU you want to target, in my case I am targeting the Domain Computers OU. Any system inside this group will be targeted with the Laps Permissions.
Set-AdmPwdComputerSelfPermission -OrgUnit ‘Domain Computers’
7. To verify that the above command was successful we can run another script.
Find-AdmPwdExtendedRight -Identity ‘Domain Computers’
8. To grant read password permissions to this particular group use the following script to add a security group. In my case I have made HelpdeskSupport as the security group in AD. Add HelpdeskSupport to the users which you intend on allowing access to.
Set-AdmPwdReadPasswordPermission -Orgunit ‘Domain Computers’ -AllowedPrinciples DEV.Network\HelpDeskSupport
9. Time to create the GPO.
9.1 First install the MSI on the DC and grab the AdmPwd.admx (C:\Windows\PolicyDefinitions) and AdmPwd.adml (C:\Windows\PolicyDefinitions\en-US )
9.2 Now copy these 2 files to the relevant areas inside Central Store.
9.3 Open up Group Policy and create a new GPO in the OU you used above, again in my case I used Domain Computers and create a GPO called Laps_Policy. This can be anything you like, in this example I used this name.
10. Edit the GPO and navigate to Computer Configuration > Policies > Administrative Templates > LAPS
11. Select Enable local admin password management and enable it.
12. Select Password Settings and setup your password parameters.
13. Select Do not allow password expiration time longer then required by policy and set this to enabled.
14. Go back to your test client machine, and update Group Policy. Restart if you need to.
15. Back on the DC go back to your powershell and run the following command. This should now show you the randomly secure generated password.
Get-AdmPwdPassword -ComputerName hostname
16. On a HelpdeskSupport machine you can also install the Laps Client and generate the password inside here as well. This would be the primary way you would generate the password.
17. Finally, you can also view it inside AD by navigating to the machine, viewing its properties and going to the Attribute Editor.
Inside here look for an attribute called ms-MSC-AdmPwd. This value is the local admin password as well.
Here are the following password parameters;
So what happens if you try to run the LAPS UI on an unauthorised machine?
To test this I created a vm, logged in as a local user. This machine was also not on a domain. These are the results when trying to generate the local admin password of a domain machine.
Notice the error at the bottom.
Now lets join this test machine to the domain and log in as a simulated ‘student account’ and try again.
Even though this machine is on the domain, you still do not have any security to read any data from AD to generate the local password.
So in a malicious sense, from what I know so far, you cannot be malicious with the software if a student was to install it on their machine.
So to set the security on the user you want to allow to generate local admin password go to the user in AD and select the member of tab. Add HelpdeskSupport.
In the above information, we created a security group called HelpdeskSupport. If we assign this security group to the user we were testing with we should now have permissions to then generate the local admin password.
First we will need to log out and back in again to the testing user account.
Open Laps UI back up and try to generate the local admin password. As you can see here, we succesfully were able to generate the password.