Documente Academic
Documente Profesional
Documente Cultură
Group Policy
This post is the second part of a two-part series on configuring and deploying the
Microsoft Local Administrator Password Solution (LAPS). The first post covered the
steps needed to configure Active Directory to support LAPS. That post can be found
here . This post will cover the steps needed to enable the LAPS functionally on devices.
1. Download the LAPS Installer (This example will cover creating an application to deploy
the 64-bit LAPS Install)
1. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899
2. Copy the msi to the network share that acts as the Configuration Manager source
directory
3. Open the Configuration Manager Admin Console and navigate to Software
Library > Application Management > Applications
4. Right click on Applications and select Create Application
5. On the Create Application Wizard window, click the Browse button to select the
MSI file that was just copied to the network and then click Next
6.
7. On the Import Information screen, click Next
8. On the General Information screen
a. Optionally, change the name of the application
b. Verify the installation program command line looks like this
1. Msiexec /I "LAPSx64.msi" /qn /norestart
c. In the Install Behavior drop down menu, ensure Install for System is selected
9.
10. On the Summary screen, click Next
11. On the Completion screen, click Close
1. Log onto the computer where the LAPS management utilities were installed
1. If the management utilities need to be re-installed, see the first section of the first part
of this series for instructions on doing so (LINK)
2. Open a file explorer window and navigate to C:\Windows\PolicyDefinitions
3. Copy the admx file found in the root of the directory and the AdmPwd.adml file
found in the en-US subdirectory
4. Paste the files in the group policy central store
a. The group policy central store is located at
\\domain.fqdn\SYSVOL\domain.fqdn\Policies\PolicyDefinitions
b. If no group policy central store exists, see this TechNet page for instructions on
creating one – https://support.microsoft.com/en-us/help/3087759/how-to-create-and-
manage-the-central-store-for-group-policy-administra
1. Open the Group Policy Management Console with an account that has rights to create
and deploy group policy objects in the domain
2. Right click on the Group Policy Objects folder and select New
3. Name the policy and click OK (In this example the policy is named LAPS)
4. Right click on the newly created policy and select Edit
5. In the Group Policy Management Editor window, expand Computer Configuration >
Policies > Administrative Templates > LAPS
6. There are 4 settings available
a. Enable local admin password management – This setting is required for LAPS to
work. This setting tells the device to randomize its local administrator password
b.
c. Password Settings – This setting is required for LAPS to work. This setting tells the
device what complexity requirements the random password should adhere to. It also
tells the device how long the password should be and how often the password should
change.
d.
e. Do not allow password expiration time longer than required by policy – This
setting is optional but recommended. If this setting is not set, the password
expiration time on a device could manually be set to be longer than the expiration
period specified in the Password Settings setting.
f.
g. Name of administrator account to manage – This setting is optional. By default,
LAPS will manage the password of the built-in local administrator account. If this setting
is enabled, an account other than the built-in administrator account can be managed.
7. Once the settings have been configured, close the group policy management editor
window
8. In the group policy management console, right click on the OU that the policy will be
applied to and select Link an Existing GPO
9. Select the group policy object that was just created and click OK
Password Lookup in AD
6.
3.
4. Once the install has completed, open the Start menu and select the LAPS UI
application
5. In the Window that appears, type the computer name of a device that has a random
password set by LAPS, then click Search
6. The password for a given device can be reset by manually entering a new time in the
New expiration time box and then clicking the Set button