Manage LAPS Configuration Using MSI with Windows Security Administration

Step-by-step guide to Manage LAPS Configuration Using MSI with Windows Security Administration, including configuration, deployment, troubleshooting and

Manage LAPS Configuration Overview

Download:

You can download LAPS from here.

Installation:

Begin by installing LAPS on a domain controller along with the management tools.

Manage LAPS Configuration Using MSI with Windows Security Administration screenshot

AD Schema Extension:

To extend the AD schema, execute the following PowerShell commands on the domain controller:

Import-Module AdmPwd.PS
Update-AdmPwdADSchema
Manage LAPS Configuration Using MSI with Windows Security Administration screenshot

ADMX:

To manage your ADMX centrally, follow these steps:

  • Copy AdmPwd.admx from C:WindowsPolicyDefinitions to C:WindowsSYSVOLsysvolleblogosd.lanPoliciesPolicyDefinitions.
  • Copy AdmPwd.adml from C:WindowsPolicyDefinitionsen-US to C:WindowsSYSVOLsysvolleblogosd.lanPoliciesPolicyDefinitionsen-us.

Manage LAPS Configuration Overview

GPO:

Create a Group Policy Object (GPO) for LAPS with the following settings:

Manage LAPS Configuration Using MSI with Windows Security Administration screenshot
  • Computer Configuration / Policies / Administrative Templates / LAPS:
    • Enable local admin password management.
Manage LAPS Configuration Using MSI with Windows Security Administration screenshot
  • Computer Configuration / Policies / Administrative Templates / LAPS:
    • Password Settings.
Manage LAPS Configuration Using MSI with Windows Security Administration screenshot

Delegating Computers:

To allow computers to update the administrator password in AD, follow these steps:

  • Identify the LDAP name of the OU where the computers to be managed are located.
Manage LAPS Configuration Using MSI with Windows Security Administration screenshot

Execute the following commands:

Import-Module AdmPwd.PS
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan"

Manage LAPS Configuration Overview

For support, LAPS with the management tools will need to be installed.

Reading Password:

Import-Module AdmPwd.PS
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "Domain admins"
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "SupportN2"

Resetting Password:

Import-Module AdmPwd.PS
Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "Domain admins"

Manage LAPS Configuration Overview

Prerequisites:

On all client computers:

  • Install LAPS.x64.msi with default options. This can be accomplished using a Group Policy Object (GPO), for example.
Manage LAPS Configuration Using MSI with Windows Security Administration screenshot

Applying the GPO:

Once the GPO is applied, the administrator password backup will be performed in AD.

Manage LAPS Configuration Using MSI with Windows Security Administration screenshot