In the last post we went through deploying the LAPS agent using a script, GPO or SCCM. The next step is to configure the GPO settings to apply LAPS management policy’s
First, we create a new GPO to apply the LAPS management policy’s, the LAPS policy’s are under Computer Configuration > Polices > Administrative Templates > LAPS (If this doesn’t show the ADMX template is probable missing and will need to be installed. This can be done using the LAPS installer)
Password settings policy used to set the password complexity, length and age
Specify the account that the password policy will apply to if this is the default administrator account this should be left at default
Enabled management of local admin account
Once the policy is configured apply the policy against the required OU
To confirm that all settings are working, run a gpupdate on a test device. Once applied we can check the password in a few different ways
First way is to run PowerShell command:
Second way is to use the LAPS UI , this can be either used from the management server or installed on local computer using the LAPS installer and selecting the LAPS management tools
The third method is to check the AD computer attribute ms-Mcs-AdmPwd:
Last step is to set delegated access to a security group or set of users to view and reset the local administrator password. Use the below command to verify the current rights
Find-AdmPwdExtendedRights -identity:OU distinguishedName
There are two command to set the rights, one for read and one for reset rights
Set-AdmPwdReadPasswordPermission -OrgUnit OU distinguishedName -AllowedPrincipals “HelpDesk_LAPS_Access”
Set-AdmPwdResetPasswordPermission -OrgUnit OU distinguishedName -AllowedPrincipals “HelpDesk_LAPS_Access”
Last step is to verify the permission have been applied
LAPS is now deployed and ready to use.
TheSleepyAdmins 