Manage LAPS Configuration Using MSI

Published by david on

Setting Up LAPS on a Domain Controller:

Download:

You can download LAPS from here.

Installation:

Begin by installing LAPS on a domain controller along with the management tools.

AD Schema Extension:

To extend the AD schema, execute the following PowerShell commands on the domain controller:

Import-Module AdmPwd.PS
Update-AdmPwdADSchema

ADMX:

To manage your ADMX centrally, follow these steps:

  • Copy AdmPwd.admx from C:\Windows\PolicyDefinitions to C:\Windows\SYSVOL\sysvol\leblogosd.lan\Policies\PolicyDefinitions.
  • Copy AdmPwd.adml from C:\Windows\PolicyDefinitions\en-US to C:\Windows\SYSVOL\sysvol\leblogosd.lan\Policies\PolicyDefinitions\en-us.

Configuration:

GPO:

Create a Group Policy Object (GPO) for LAPS with the following settings:

  • Computer Configuration / Policies / Administrative Templates / LAPS:
    • Enable local admin password management.
  • Computer Configuration / Policies / Administrative Templates / LAPS:
    • Password Settings.

Delegating Computers:

To allow computers to update the administrator password in AD, follow these steps:

  • Identify the LDAP name of the OU where the computers to be managed are located.

Execute the following commands:

Import-Module AdmPwd.PS
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan"

Technical Support:

For support, LAPS with the management tools will need to be installed.

Reading Password:

Import-Module AdmPwd.PS
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "Domain admins"
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "SupportN2"

Resetting Password:

Import-Module AdmPwd.PS
Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Ordinateurs,DC=leblogosd,DC=lan" -AllowedPrincipals "Domain admins"

On Client Computers:

Prerequisites:

On all client computers:

  • Install LAPS.x64.msi with default options. This can be accomplished using a Group Policy Object (GPO), for example.

Applying the GPO:

Once the GPO is applied, the administrator password backup will be performed in AD.

Categories: ADDSLAPS
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

ADDS

How to Delegate Rights to Allow a User Account to Join Computers to the Domain

Learn how to delegate rights to allow a user account to join computers to the domain. Follow this step-by-step guide to configure Active Directory delegation for seamless integration with MDT, LANDesk, KACE, or SCCM.

ADDS

How to Allow Users to Install Printer Drivers via Group Policy

Learn how to configure a Group Policy to allow users to install drivers for network and USB printers without needing administrative rights. This guide includes the necessary GUIDs and steps to create the policy.

ADDS

Identifying Applied GPOs on a Computer

Learn how to identify applied GPOs on a computer using essential command-line tools. This guide covers Gpupdate, Gpresult, and RSOP.msc to troubleshoot and verify Group Policy applications.