Site Overlay

LAPS Installation and Configuration

By Arif Akyüz

You can install the Microsoft LAPS application in your environment, where you can manually or automatically change the password of the local admin accounts of your "Client" and "Servers" in your domain environment, by using the link below.

1. LAPS Download and Installation

Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center

image 2
Local Administrator Password Solution LAPS Setup and configuration

2. Deployment of LAPS Application to Client devices with GPO

After installing the application on the DC, we also need to distribute the application to the computers whose password we are going to change. For this reason, we first open a share called Apps on the server we are using for backup operations and copy the installation file here.

image 147

The installation of the application on the computers can be done individually if desired, but in large structures this will be a huge waste of time, we will distribute and install our application on our computers through Group Policy Management. Because our computers are located under the Organizations OU in the structure, we create our GPO under this OU. By selecting a new GPO, we create a new policy called LAPS.

image 148

Then we proceed to Computer Configiration/Software Settings/Software Installation, New/Package.

image 149

Here he asks us to show the installation file. We continue by showing our file.

image 150

We continue by selecting Assigned on the screen that comes up about how the installation will take place.

image 151

Our policy has been successfully established.

image 152

Now we come to one of our computers and get the policy with the gpupdate/force command and then restart our machine. When we check after our machine is turned on, we can see that the successful installation of the LAPS application is completed.

image 153
image 154

3. Group Policy Settings

After these operations, we will prepare a GPO on the AD for LAPS. Coming to the Group Policy Management screen, we create a policy called LAPS under the Organizations OU. After creating our policy, we come to Computer Configiration/Administrative Templates/LAPS by saying edit. Here we click on Enable local admin password management.

image 157

On the screen that comes up, we make our policy Enabled and say Ok.

image 158

Then we come to the Password Settings area and set this setting to Enabled, and then we set the password policy.

image 159

To check after the completion of the operations, we take the policy with the command gpupdate/force as a login to a computer.

image 160

Thank you for the images and descriptions published in the article.

Configure and Deploy Local Administrator Password Solution (LAPS) – Azure – Cyber Security (volkandemirci.org)

4. PowerShell Structuring Schema Expansion

Open "PowerShell" on your Active Directory server.

Import-module AdmPwd.PS
Update-AdmPwdADSchema
image 7
LAPS Installation and Configuration

5. Steps to authorize your IT team to manage Local Admin passwords.

Let's create a "Security Group" named "Helpdesk" in Active Directory. Let's throw the IT personnel we want to authorize into this group.

image 18

In the AD environment, open Power Shell.

If the members of the "Helpdesk" group you create for your IT team will manage the "Computer entities" under which OU, let's authorize them with the following command.

Set-AdmPwdReadPasswordPermission -OrgUnit LAPS -AllowedPrincipals Helpdesk  

NOTE: "LAPS" is the name of the OU where my computers are located. "Helpdesk" is the name of the security group I created for the IT personnel I will delegate.

You need to authorize the Computer Objects of the computers under which you will manage Local Admin accounts with the following command.

In our build, computers are under LAPS OU.

Set-AdmPwdComputerSelfPermission -OrgUnit LAPS
image 17

6. Let's make the necessary restrictions so that no one except your IT team can see the password information of Local Admin accounts.

Identify authoritative ones:

With the following command, let's identify the "group" or "users" who are authorized to view the passwords of the "Local Admin" accounts.

Import-module AdmPwd.PS
Find-AdmPwdExtendedrights -identity LAPS | Format-Table (LAPS is the name of the OU edit command according to your environment)
image 15

Open "ADSI Edit" with the CMD command below.

adsiedit. Msc

Open the "Properties" screen by pressing the LAPS container with the right button.
NOTE: LAPS is the name of the OU in which Computer Objects are located in our structure.

image 11
LAPS Authorization – LAPS Authorization Restriction

On the screen that opens, click on our "Security" and then "Advanced" button.

image 13
LAPS Authorization – LAPS Authorization Restriction

Let's select the people or groups who will not see the password and Change Times in order and click the "Edit"  button.

image 12
LAPS Authorization – LAPS Authorization Restriction

On the screen that opens, let's uncheck the All extended rights feature.

image 14
LAPS Authorization – LAPS Authorization Restriction

6. Control

On a device that is a member of the Active Directory server or domain where the LAPS program is installed and has the LAPS application installed, click on the icon of the LAPS application with SHIFT + RIGHT click and click "Open with a different user". After logging in with the IT team staff or domain admin accounts we authorize here, you will be able to see the "Password" and "Expires" date if you enter the Computer name of the device where you want to learn the local admin password and "Search ".

image 161

The password and expired date on the AD are located under the attribute editor of computers.

image 162
© 2024 Arif Akyüz. Tüm Hakları Saklıdır. Gizlilik politikası
Yasal Uyarı: Bu sitede yer alan makaleler bilgi amaçlıdır ve hatalar içerebilir. Site sahibi, bu bilgilerin kullanımı sonucunda oluşabilecek zararlardan sorumlu tutulamaz.
Anasayfa IP'mi Göster Hız Testi Parola Oluştur