Microsoft LAPS

Local Admin Password Solution

Download LAPS

LAPS comes as an MSI file, which you’ll need to download and install onto a client machine, you can

download it from Microsoft.

LAPSMicrosoft Download Center

install with full features not like this !

Schema change

LAPS needs to add two attributes to Active Directory, the administrator password and the expiration time. Changing the schema requires the LAPS PowerShell component to be installed. When done, launch PowerShell and run the commands:

Import-module AdmPwd.PS

Update-AdmPwdADSchema

PS C:\Windows\system32> Update-AdmPwdADSchema

Operation            DistinguishedName                                                 Status
---------            -----------------                                                 ------
AddSchemaAttribute   cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=m... EntryAlreadyExists
AddSchemaAttribute   cn=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=mabnaco,DC=local   EntryAlreadyExists
ModifySchemaClass    cn=computer,CN=Schema,CN=Configuration,DC=mabnaco,DC=local        AttributeOrValueExists

You need to run these commands while logged in to the network as a schema admin.

PS C:\Windows\system32> Set-AdmPwdComputerSelfPermission -OrgUnit 'Servers'

Name                 DistinguishedName                                                 Status
----                 -----------------                                                 ------
Servers              OU=Servers,DC=mabnaco,DC=local                                    Delegated


PS C:\Windows\system32> Set-AdmPwdReadPasswordPermission -OrgUnit 'Servers' -AllowedPrincipals "Domain Admins"

Name                 DistinguishedName                                                 Status
----                 -----------------                                                 ------
Servers              OU=Servers,DC=mabnaco,DC=local                                    Delegated


PS C:\Windows\system32>
PS C:\Windows\system32> Set-AdmPwdResetPasswordPermission -OrgUnit 'Servers' -AllowedPrincipals "Domain Admins"

Name                 DistinguishedName                                                 Status
----                 -----------------                                                 ------
Servers              OU=Servers,DC=mabnaco,DC=local                                    Delegated

PAY Attention to hint verrrrrry carefully !!!

Do NOT Assign this policies to your Active Directory DC OU our Groups Because its change the domain administrator Password

Install the LAPS group policy files

Once installed, you should see a LAPS section in GPMC under Computer configuration -> Policies -> Administrative Templates -> LAPS

The four options are as follows:

Password settings — This lets you set the complexity of the password and how often it is required to be changed.

Name of administrator account to manage — This is only required if you rename the administrator to something else. If you do not rename the local administrator, then leave it as “not configured.”

Do not allow password expiration time longer than required by policy — On some occasions (e.g. if the machine is remote), the device may not be on the network when the password expiration time is up. In those cases, LAPS will wait to change the password. If you set this to FALSE, then the password will be changed regardless of it can talk to AD or not.

Enable local password management — Turns on the group policy (GPO) and allows the computer to push the password into Active Directory.

The only option that needs to be altered from “not configured” is the “Enable local admin password management,” which enables the LAPS policy. Without this setting, you can deploy a LAPS GPO to a client machine and it will not work.

in LAPS Client Side

In LAPS Client You shloud do this :

copy "C:\Program Files\LAPS\CSE\AdmPwd.dll" to “%windir%\system32”

Run regsvr32.exe AdmPwd.dll

after that gpupdate /force and Restart system

Run LAPS Ui in Administrator