0
0
Windows Local Administrator Password Solution (LAPS) is a powerful tool that enhances security by automatically managing and rotating local administrator passwords for domain-joined devices. This guide will walk you through the process of implementing Windows LAPS in your environment.
Step 1: Understand the Requirements
Before starting, ensure the following prerequisites are met:
- Active Directory (AD) or Azure Active Directory (AAD) is set up.
- Devices are domain-joined and running Windows 10/11 or Windows Server 2019/2022.
- Administrative privileges to modify AD schema and Group Policy Objects (GPOs).
- Latest Windows updates are installed (April 2023 or later).
Step 2: Extend the Active Directory Schema
To store passwords in AD, the schema must be extended:
- Open a PowerShell session with administrative privileges.
- Run the following command to update the schema:
Update-LapsADSchema - Verify the schema update by checking the new attributes in AD (e.g.,
ms-Mcs-AdmPwd).
Step 3: Configure Permissions in Active Directory
Grant devices the necessary permissions to update their passwords:
- Open Active Directory Users and Computers (ADUC).
- Navigate to the Organizational Unit (OU) containing the devices.
- Right-click the OU, select Properties, and go to the Security tab.
- Add the SELF principal and grant it the following permissions:
- Write
ms-Mcs-AdmPwd. - Write
ms-Mcs-AdmPwdExpirationTime.
- Write
Step 4: Deploy Windows LAPS via Group Policy
Open the Group Policy Management Console (GPMC).
Create a new GPO or edit an existing one.
Navigate to Computer Configuration > Administrative Templates > System > LAPS.
Configure the following settings:
- Enable Local Administrator Password Management: Set to Enabled.
- Password Settings: Define password complexity and expiration policies.
- Backup Directory: Choose between AD or AAD for password storage.
Step 5: Deploy Windows LAPS to Devices
- Ensure the LAPS feature is enabled on all devices:
- For Windows 10/11, verify that the April 2023 update is installed.
- For older systems, install the LAPS client manually.
- Use tools like SCCM or Intune to deploy the GPO to target devices.
Step 6: Test the Configuration
- Force a Group Policy update on a test device:cmd
gpupdate /force - Verify that the local administrator password is updated and stored in AD:
- Open ADUC, locate the device, and check the
ms-Mcs-AdmPwdattribute.
- Open ADUC, locate the device, and check the
Step 7: Retrieve and Use Passwords
- To retrieve a password, use the following PowerShell command:powershell
Get-AdmPwdPassword -ComputerName <DeviceName> - Ensure only authorized personnel have access to the passwords.
Step 8: Monitor and Troubleshoot
- Use Event Viewer to monitor LAPS-related logs under Applications and Services Logs > Microsoft > Windows > LAPS.
- Address any issues, such as permission errors or policy misconfigurations.
By following these steps, you can successfully implement Windows LAPS to enhance the security of your IT environment. Regularly review and update your policies to ensure continued compliance and effectiveness.
