You can install the Microsoft LAPS application in your environment, where you can manually or automatically change the password of the local admin accounts of your "Client" and "Servers" in your domain environment, by using the link below.
1. LAPS Download and Installation
Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center
2. Deployment of LAPS Application to Client devices with GPO
After installing the application on the DC, we also need to distribute the application to the computers whose password we are going to change. For this reason, we first open a share called Apps on the server we are using for backup operations and copy the installation file here.
The installation of the application on the computers can be done individually if desired, but in large structures this will be a huge waste of time, we will distribute and install our application on our computers through Group Policy Management. Because our computers are located under the Organizations OU in the structure, we create our GPO under this OU. By selecting a new GPO, we create a new policy called LAPS.
Then we proceed to Computer Configiration/Software Settings/Software Installation, New/Package.
Here he asks us to show the installation file. We continue by showing our file.
We continue by selecting Assigned on the screen that comes up about how the installation will take place.
Our policy has been successfully established.
Now we come to one of our computers and get the policy with the gpupdate/force command and then restart our machine. When we check after our machine is turned on, we can see that the successful installation of the LAPS application is completed.
3. Group Policy Settings
After these operations, we will prepare a GPO on the AD for LAPS. Coming to the Group Policy Management screen, we create a policy called LAPS under the Organizations OU. After creating our policy, we come to Computer Configiration/Administrative Templates/LAPS by saying edit. Here we click on Enable local admin password management.
On the screen that comes up, we make our policy Enabled and say Ok.
Then we come to the Password Settings area and set this setting to Enabled, and then we set the password policy.
To check after the completion of the operations, we take the policy with the command gpupdate/force as a login to a computer.
Thank you for the images and descriptions published in the article.
4. PowerShell Structuring Schema Expansion
Open "PowerShell" on your Active Directory server.
Import-module AdmPwd.PSUpdate-AdmPwdADSchema
5. Steps to authorize your IT team to manage Local Admin passwords.
Let's create a "Security Group" named "Helpdesk" in Active Directory. Let's throw the IT personnel we want to authorize into this group.
In the AD environment, open Power Shell.
If the members of the "Helpdesk" group you create for your IT team will manage the "Computer entities" under which OU, let's authorize them with the following command.
Set-AdmPwdReadPasswordPermission -OrgUnit LAPS -AllowedPrincipals Helpdesk
NOTE: "LAPS" is the name of the OU where my computers are located. "Helpdesk" is the name of the security group I created for the IT personnel I will delegate.You need to authorize the Computer Objects of the computers under which you will manage Local Admin accounts with the following command.
In our build, computers are under LAPS OU.
Set-AdmPwdComputerSelfPermission -OrgUnit LAPS
6. Let's make the necessary restrictions so that no one except your IT team can see the password information of Local Admin accounts.
Identify authoritative ones:
With the following command, let's identify the "group" or "users" who are authorized to view the passwords of the "Local Admin" accounts.
Import-module AdmPwd.PSFind-AdmPwdExtendedrights -identity LAPS | Format-Table (LAPS is the name of the OU edit command according to your environment)
Open "ADSI Edit" with the CMD command below.
adsiedit. MscOpen the "Properties" screen by pressing the LAPS container with the right button.
NOTE: LAPS is the name of the OU in which Computer Objects are located in our structure.
On the screen that opens, click on our "Security" and then "Advanced" button.
Let's select the people or groups who will not see the password and Change Times in order and click the "Edit" button.
On the screen that opens, let's uncheck the All extended rights feature.
6. Control
On a device that is a member of the Active Directory server or domain where the LAPS program is installed and has the LAPS application installed, click on the icon of the LAPS application with SHIFT + RIGHT click and click "Open with a different user". After logging in with the IT team staff or domain admin accounts we authorize here, you will be able to see the "Password" and "Expires" date if you enter the Computer name of the device where you want to learn the local admin password and "Search ".
The password and expired date on the AD are located under the attribute editor of computers.
