Manage LAPS Configuration Using MSI

Publié par david le

Setting Up LAPS on a Domain Controller:

Download:

You can download LAPS from here.

Installation:

Begin by installing LAPS on a domain controller along with the management tools.

AD Schema Extension:

To extend the AD schema, execute the following PowerShell commands on the domain controller:

Import-Module AdmPwd.PS
Update-AdmPwdADSchema

ADMX:

To manage your ADMX centrally, follow these steps:

  • Copy AdmPwd.admx from C:\Windows\PolicyDefinitions to C:\Windows\SYSVOL\sysvol\leblogosd.lan\Policies\PolicyDefinitions.
  • Copy AdmPwd.adml from C:\Windows\PolicyDefinitions\en-US to C:\Windows\SYSVOL\sysvol\leblogosd.lan\Policies\PolicyDefinitions\en-us.

Configuration:

GPO:

Create a Group Policy Object (GPO) for LAPS with the following settings:

  • Computer Configuration / Policies / Administrative Templates / LAPS:
    • Enable local admin password management.
  • Computer Configuration / Policies / Administrative Templates / LAPS:
    • Password Settings.

Delegating Computers:

To allow computers to update the administrator password in AD, follow these steps:

  • Identify the LDAP name of the OU where the computers to be managed are located.

Execute the following commands:

Import-Module AdmPwd.PS
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan"

Technical Support:

For support, LAPS with the management tools will need to be installed.

Reading Password:

Import-Module AdmPwd.PS
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "Domain admins"
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "SupportN2"

Resetting Password:

Import-Module AdmPwd.PS
Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "Domain admins"

On Client Computers:

Prerequisites:

On all client computers:

  • Install LAPS.x64.msi with default options. This can be accomplished using a Group Policy Object (GPO), for example.

Applying the GPO:

Once the GPO is applied, the administrator password backup will be performed in AD.

Catégories : ADDSLAPS
Étiquettes :

0 commentaire

Laisser un commentaire

Emplacement de l’avatar

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

Articles similaires

ADDS

Automating User Account Creation for Lab

Learn how to automate the creation of multiple user accounts for lab environments using a CSV file and a PowerShell script. Efficiently manage and set up testing accounts in Active Directory

ADDS

How to Disable Windows Update using GPO

Learn how to effectively disable Windows Update using Group Policy Object (GPO). The article provides two methods, one involving blocking the Store and another without doing so

ADDS

Guide to Installing and Configuring an Enterprise Root Certificate

guide on how to install and configure a company's root certificate. From setting up Active Directory Certificate Services to deploying the root certificate via GPO, this article covers all the essential steps to ensure secure certificate management in an enterprise environment.