I would like to help you setting up LAPS in your environment – just follow this simple guide how to do it and say “bye bye” to not-secure fixed local administrators passwords.
First you need to download x64 (and if you need x86) LAPS from Microsoft website:
Download LAPS.x64.msi on your Active Directory domain controller and install it – add also Management Tools that are not selected by default:
After installing it open Powershell on your DC, import Powershell module for LAPS, update AD Schema for LAPS (you need to be schema admin!), define OU where computers / servers that will be under LAPS management are, define user or group that will have privilege to read and reset password for client or server:
Set-AdmPwdComputerSelfPermission -OrgUnit Clients
Set-AdmPwdResetPasswordPermission -Identity Clients -AllowedPrincipals “demo\domain admins”
Set-AdmPwdReadPasswordPermission -Identity Clients -AllowedPrincipals “demo\domain admins”
Create group policy object on clients / servers OU (in my case with name LAPS) in which you will configure settings and deploy client on machines (yes, the MSI package that was installed on DC needs to be installed on workstations and servers too – the simplest way to do it is by using software deployment in group policy.
Reboot your clients or use gpupdate /force to apply group policy settings and installation of the package.
If everything was installed and applied correctly you should see the installed package in programs on client workstation or server:
On your AD server you can now check password by using Powershell or by using LAPS GUI:
Get-AdmPwdPassword -ComputerName w10 -Verbose
LAPS is great, simple and adds some more security in your environment.
Thanks Luka, awesome tutorial!
Straight to the point and complete. Solid work.