In this post we will be going through deploying and configuring Microsoft LAPS (Local Administration Password Solution). LAPS is a solution to automate the changing of a local administrator account on every computer in the domain.
To install LAPS will require a management server / workstation I will be installing on my domain controller.
Supported Operating System
Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Vista
Active Directory: (requires AD schema extension)
• Windows 2003 SP1 or later.
• Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.
Note: Itanium-based machines are not supported.
• .NET Framework 4.0
• PowerShell 2.0 or later
First step is to download the install files for LAPS
Next install the full deployment of LAPS on the designated management server / workstation.
Run LAPS installer for operating system verison
Install full management tools
After the management tools have been installed the next step is to extend the AD schema
The LAPS PowerShell module is called AdmPws.PS
To update the Schema first add the LAPS module and then run
Last step is to delegate right to computer objects to allow them to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime AD attributes.
Set-AdmPwdComputerSelfPermission -OrgUnit “OU=Computers,DC=Domain,DC=local”
In the next post we will go through delegating access to specific users to allow them read the ms-MCS-AdmPwd attribute and to deploy the LAPS client through SCCM , script and GPO.