How to setup and deploy LAPS (Local Administrator Password Solution)
ฝัง
- เผยแพร่เมื่อ 11 ก.ย. 2024
- Learn how to setup, configure, and deploy LAPS (Local Administrator Password Solution) to your active directory environment. In this example, I show you how install the laps application, update the Active Directory schema, deploy and configure LAPS using Group Policy, as well as showing you how to find the LAPS password, and forcing a password change.
View the blog post with all the commands used in this video here: www.dannymoran...
Hi, I’m Danny, a London based IT consultant and sporadic blogger. You can view all my blog posts at: www.dannymoran...
This is probably the best IT instructional video out there. Great job.
Thanks for watching! Hope you found it useful!
Awesome job! Very thorough and to the point. One of the best tutorial vids. No fluff.
Thanks for watching!
Thank you very much! Your Videos about WDS Server and this one are helping me a lot as a beginner, for deploying new Clients! Very clear and straight forward, but every important detail is named. Thanks!
Thanks for watching!
Great video men, really clear! Thanks and greetings from Argentina.
Thanks for watching, Franco!
Crystal Clear explanation 🥰🥰🥰
Thanks for watching!
@@danny_moran please put zabbix server and client installation for veeam dashboard...🙏🙏🙏🙏🙏
Danny Moran you are the man
Thanks for watching!
Thank you. Very informative and precise.
Thanks for watching!
very well done, thanks. didn't solve my problem, but I learned something... and learning is always a good thing 😁
Thanks for watching!
Simple and to the point! Thank you dude :)
Thanks for watching!
simply wonderful, cheers mate
Thanks for watching!
great video, even better with the blog post keep up the good work!
Thanks for watching! Hope you found it useful!
To the point . I love it.
Thanks for watching!
Love your videos, straight to the point ! Any reasons to NOT install LAPS on a DC ?
I installed the LAPS software onto my primary domain controller and did all of the configuration from there.
Don't apply the LAPS group policy to the domain controllers' organisational unit. When you promote a domain controller, the local administrator account gets converted to the domain administrator account. I've never done this, but I can only assume bad things will happen if you apply it to that OU.
Only apply the LAPS group policy to workstations and servers that aren't domain controllers. (Remember to test on a small number of workstations and servers first so you can confirm it works correctly, works as intended, and doesn't break anything.
Thanks for watching!
The best tutorial!
Thanks for watching!
Excellent video - helped me to completely setup LAPS.
The only thing of note was that LAPS in group policy wasn't there, so I had to find out elsewhere from where to copy admpwd.admx/adml from/to in order to see it in group policy.
Thanks for watching! Glad you got it working in the end!
thank you.... i too was pondering over this for last 20 minutes, but you saved me time!
Great video! Thanks for making this easy!
Thanks for watching!
Thanks, mate!! Awesome video.
Thanks for watching!
After this instruction, is the local admin password for all clients the same or for each workstation a different one?
Each workstation is given a unique randomly generated password.
Thanks for watching!
GOD BLESS YOU
Thanks for watching!
Incredible video!.
Thanks for watching! Hope it was useful!
I have the OU called computers inside several OUs for example Under DRH OU there is the Computers OU, I have another one under DSI OU, How can I specify the exact OUs that have the same name but under other OUs for the below command?
Set-AdmPwdComputerSelfPermission -OrgUnit
You would need to use the Distinguished Name of the OU. You can find this by going into Active Directory Users and Computers > View > Advanced Features. Once the Advanced Features are enabled, right click the OU and press Properties, then go to Attribute Editor, double click the attribute with the name distinguisedName, and then copy the value.
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Workstations,OU=Company,DC=ad,DC=dannymoran,DC=com"
Thanks for watching!
Thank you! Worked perfectly for me :)
Glad you found it useful! Thanks for watching!
Excellent! Thank you!
Thanks for watching!
Hello! I have done everything like you demonstrated in your video, the only change i performed is the custom administrator account, in the gpo i put the name of the account i want to be managed by laps but nothing happens, to the default administrator account works very well but for the custom administrator account doesnt work what i propably miss???
Greetings from Portugal.
I'm not sure why it wouldn't work using a custom administrator account. I have never actually tried it.
You might be best trying an internet search to see if anyone else has had the same issue.
Thanks for watching!
This laps works only when is joint domain. If unjoin domain. Will still work? Of not, what is the workaround to preserve the local admin password to its original pw
When you remove a device from the domain, it will keep whatever password it had at the time of removal.
You will have to manually change the password before removing from the domain if you don't want a random LAPS password.
Thanks for watching!
Great video, nicely explained.
Question: From a security view, is it ok to make certain domain users members of the security group "LAPSAdmins" so they can access the administrator password?
Yes, it's fine to put the accounts for people who need to access the passwords set by LAPS into the LAPSAdmins group. The only thing that group does is it gives read access to the ms-Mcs-AdmPwd attribute.
Thanks for watching!
Should LAPS be installed on the DC or somewhere else? I have found some conflicting information (based on what I understood) that installing it on DCs may cause problems, reset the Domain Administrator Password, etc. Is that an issue? I am ready to start implementing it but not sure where I must install it. Thanks!
You run the LAPS installer on a domain controller, however, you don't apply the GPO to the domain controllers OU.
Thanks for watching!
Will the password be re-generated every time we force group policy as shown in video since you have left password age as default (30 days) during gpo creation?
No, the password doesn't get regenerated everytime group policy is updated.
Each AD computer unit gets a custom attribute called "ms-Mcs-AdmPwdExpirationTime", the password only gets updated when it has expired, or someone expires the password so it can generate a new password.
Thanks for watching!
What if the local admin in pc is disabled will it still work. Or need to enable it manually? what if during the time of setup windows created new local admin how to assign it. And how to prevent ulocal admin acct from auto removed in admin groups. once joint to domain.
If the local Administrator account is disabled, LAPS will still update the password, however, the account will remain disabled. You will still need to enable the account, either manually or using group policy.
During the Windows installation, if you create another local admin, it will stay in the local admins group. You will have to either manually remove it from the group or use group policy to remove it from the group.
Thanks for watching!
hey Danny, I am having issues updating the Schema, I get the error 'Update-AdmPwdADSchema : The distinguished name contains invalid syntax.'
I have confirmed that my account is a part of Schema Admin. Any ideas why I am getting the error?
Doesn't sound like a permission error, but an issue with the command you are running.
Are you using the correct distingused name? You may also have to put the DN is quotes.
Thanks for watching!
@@danny_moran what's a distinguished name? I can confirm that there are no any quotes.
For some reason, the sysvol/scripts directory wasnt' accessible for workstations devices - manually browsing to that LAPS location would generate access denied. I ended up creating a new directory called SoftwarePush and shared it as read only to everyone - it then became accessible to all workstations, and the GPO was able to install the software. This was on Server 2016 - any idea why mine was a bit different and is that expected? - Thx
Sounds like it could be related to "hardened unc paths", but, it's hard to guess with just that information.
It doesn't really matter where on the network the files are stored, as long as clients can reach them.
Glad you got it working. Thanks for watching!
With the OU structure serperated out by departments and a sub OU holding the computers (all with the name computers) how do you specify it to point at those sub OU's when running the Set-AdmPwdComputerSelfPermission -OrgUnit ??
You should just need to run it against the parent-OU and it will filter through to sub-OUs.
Thanks for the video. What about non built in local admin accounts that were created,can these be managed with laps also?
You can only manage 1 account with LAPS. Either the built-in Administrator account, or you can change the group policy to look at a different account name.
What other local administrator accounts to you have on workstations that would require this? Usually, You would just have the one local administrator account and the rest of the accounts would be managed using Active Directory.
Thanks for watching!
Dose it also change the DC Administrator Password? After configuration the LAPS
I would recommend not applying this GPO to your Domain Controllers OU and managing your Domain Administrator account manually.
Thanks for watching!
Thank you for this video it is great. I do have one question though. In our environment we have 3 Domain Controllers. Do I have to set up laps on all of them or just 1?
No, you only need to install on to get the install files and gpo options.
Once it's all configured on one, the settings will replicate to the other domain controllers automatically.
Thanks for watching!
Computers need to be joined to the network/VPN to get the new password, correct?
They need to be able to communicate with a domain controller.
Thanks for watching!
Quick question here, but when installing the LAPS package as you showed here on one DC I didn't get the LAPS.admx and LAPS.adml files to show up in the proper location so it wouldn't show. When I just copied those files from another DC that did get them I get a ton of other options not included in this video, but no "Enable Local Admin Password Management" setting in Group policy management editor. Do you happen to have any guidance? Or resources? Maybe just a point in another direction?
Have you setup Group Policy Central Store on your network? If you are using a central store, try the steps below. If you aren't using a Central Store, you may need to run the installer again.
If you ran the LAPS installer, it might have put the ADMX files into the local store and not the central store.
Browse to C:\Windows\PolicyDefinitions and see if there are any files called AdmPwd
You will then need to copy the AdmPwd files to \\domain.local\SYSVOL\domain.local\policies\PolicyDefinitions
This should fix the issue if you are using a central store.
@@danny_moran Thank you for the tip. So what fixed the problem for me was that yes we were using a central store but I assumed that the LAPS.admx/adml file was the one that needed to be transferred over. But it was actually the AdmPwd.admx/adml. Every tutorial online I found said you needed the LAPS files, but on a whim I extracted the MSI using 7zip and found the AdmPwd files and transferred them. It worked immediately. Thank you for inspiring me to take a deeper look at the stuff I had on hand.
Glad you got it fixed.
Thanks for watching!
hi, is this working for MacOS that joining to the AD?
No, this just works for Windows devices.
Thanks for watching!
Is this for Microsoft Laps (The older one) Or windows Laps I have followed all steps and everything seems to work except I cant see the passwords, its just blank
This is for the original Microsoft LAPS.
Did you run the Set-AdmPwdReadPasswordPermission command against a security group to give those users permissions to view the passwords?
Also, has group policy been updated on the workstation to install the software and has the password actually been updated on the client?
@@danny_moran I figured it out. Nowhere in any of the documentation I found does it say that I have to make sure the local group policy password policy is greater than or equal to the settings that you set in the lapse software. I had it set in GPO for 8 character password minimum and then I tried to set laps for a 14 character password that’s why I didn’t work. Makes sense but I’m so surprised the documentation doesn’t say that.
Glad you've got it working! Thanks for watching!
I have a domain that is installed on 4 servers (replication), should I install LAPS on each server?
No, you don't need to install it on all Domain Controllers. Just doing it on one will work fine.
Thanks for watching!
does this work with windows server 2022 DC and windows 8.1 clients?
Yes, this should work fine.
Thanks for watching!
To update the schemas, does the Domain Controller need access to the Internet?
No, it doesn't need internet access.
Thanks for watching!
@@danny_moran Thank you for the step-by-step tutorial. I finally got LAPS up and running now.
Love the videos! Quick question though... If your environment has multiple domain controllers, do you have to install the MSI file on all DCs or just one and it replicates to the others?
You only need to run the installer on one domain controller and then the changes will replicate to the other domain controllers.
Thanks for watching!
I have followed your video, everything worked as charm for users' PCs, now after a while I wanted to apply this GPO on servers, but it doesn't seem to work on them, what could it be the reason ?
Should work fine for servers. Did you make sure the GPO is linked to the OU the servers are in and also tried restarting the server for it to install the LAPS software?
@@danny_moran yes I did, I believe I read it works for windows server 2019 and above, is that true?
Yes, it works for Windows Server 2019 and above.
Hello, If I'm managing a different admin Account than the Windows administrator, and not all pcs in the domain have the specified admin account, and then i create it on a pc that doesn't, does it then after gpupdating become laps managed as well? Thank you
Yes, it should do. As long as computer object within Active Directory is within an Organisational Unit that has the LAPS GPO applied to it.
Thanks for watching!
I have several local administrators on one domain pc (.\it1, .\it2 and .\it3). How does/can LAPS giv each account get its own password?
LAPS can only manage one local administrator account. By default, it manages the .\Administrator account, however, you can change this to a different account in the group policy settings.
Thanks for watching!
Thank you.
Hello, thank you for great video.
If I go through these processes (on domain computer) and it still doesn't give me a password, what solutions should I look for?
Double check that the GPO is being applied to the workstation and maybe give it a couple of reboots to make sure that the software has chance to be installed and run.
If you try and login to the local admin of the workstation, has it actually been updated?
I've never had an issue with it not showing the password and I've deployed this to many active directory environments.
For some reason at 6:35 I don't have LAPS listed under the Administrative Template Policies. Is this something you could help with?
Have you setup Group Policy Central Store on your network? If you are using a central store, try the steps below. If you aren't using a Central Store, you may need to run the installer again.
If you ran the LAPS installer, it might have put the ADMX files into the local store and not the central store.
Browse to C:\Windows\PolicyDefinitions and see if there are any files called AdmPwd
You will then need to copy the AdmPwd files to \\domain.local\SYSVOL\domain.local\policies\PolicyDefinitions
This should fix the issue if you are using a central store.
This worked thank you so much for your help.@@danny_moran
Glad you got it fixed.
Thanks for watching!
I have some technicians working under my supervision, they don't have access to AD but they need to know the local admin password, is it possible to set the same password for all the local admins and change it whenever I want.
If you put the technicians into the LAPSAdmins security group and then install the laps software on their workstation, they should be able to access the passwords without having direct access to AD.
Thanks for watching!
Thank uuu sooo muuuch!!!!
Thanks for watching!
Nice tutorial
Thanks for watching!
the MS LAPS download link no longer works, there is an internal server error.
The download link still seems to work for me: www.microsoft.com/en-us/download/details.aspx?id=46899
Thanks for watching!
Thanks for this tutorial!
Question: admin account is disable on all of the workstations, we use an other account for admin, can I use the GPO "name of administrator account to manage" and put the name of our admin account in that gpo?
Yes, that's correct. Just change the value of that GPO setting and it will manage the account with that name.
Thanks for watching!
thank you, do i need to install it on all DC servers or only on one of them? and is it supporting windows server 2016?
You just need to do the setup on one domain controller and all the required changes will automatically replicate to the other domain controllers.
This works fine for server 2016 and onwards, as well as Windows 10 and 11.
Thanks for watching!
Useful
Thanks for watching!
running Dc on server 2019 on the GPME i can't find the LAPS under Administrative templates Policy
Have you setup Group Policy Central Store on your network? If you are using a central store, try the steps below. If you aren't using a Central Store, you may need to run the installer again.
If you ran the LAPS installer, it might have put the ADMX files into the local store and not the central store.
Browse to C:\Windows\PolicyDefinitions and see if there are any files called AdmPwd
You will then need to copy the AdmPwd files to \\domain.local\SYSVOL\domain.local\policies\PolicyDefinitions
This should fix the issue if you are using a central store.
@@danny_moran thank you, Danny, this has been solved but still having issues pushing Software installation via GPO yet when i install the software manually works fine. Yet not getting any errors, my permissions are fine
Thanks for this tutorial
Currently stuck on GPO as the LAPS folder does appear under "Administrative Templates" and wondering if it could be because i never restarted the server?
Have you setup Group Policy Central Store on your network? If you are using a central store, try the steps below. If you aren't using a Central Store, you may need to run the installer again.
If you ran the LAPS installer, it might have put the ADMX files into the local store and not the central store.
Browse to C:\Windows\PolicyDefinitions and see if there are any files called AdmPwd
You will then need to copy the AdmPwd files to \\domain.local\SYSVOL\domain.local\policies\PolicyDefinitions
This should fix the issue if you are using a central store.
@@danny_moran let me try that out thanks
Worked like a charm thanks a lot
Glad that worked!
Side note, the AdmPwd.adml may also need to be moved into the appropriate language folder to go along with the AdmPwd.admx file.
How do I remove LAPS from a computer? I already uninstalled from control panel but it still keeps changing password.
I've never actually tried removing laps - I would assume if you remove the group policy and then un-install the software from the client it would stop updating the password.
Thanks for watching!
How can you show the information of computer on screen what do use for this ?
It's called BgInfo. I have a guide on how to set it up here: th-cam.com/video/ZnCEpFzd9VU/w-d-xo.html
Thanks for watching!
Thank you som much
Thanks
Thanks for watching!
so basically how it works, laps software set random pass for local admin and store it in ad ?
Yes, that's correct.
When you go through the LAPS setup process, a new AD attribute is created called "ms-mcs-AdmPwd" which will appear in all computer objects.
The software then writes the password to this attribute.
Thanks for watching!
Hey i have a question. When i do the gpupdate /force part it constantly gives me the same message over and over again. It says: The following warnings were encountered during computer policy processing: The group Policy Client Side Extension Software Installation was unable to apply one or more settings......... Certain Computer policies are enabled that can only run during startup. i am trying to do this in a vm 1 DC vm(Server 2022) and 1 client vm(Windows 11 pro). If anyone has some sort of explanation why its doing this then i would greatly appreciate if you can comment it under this.
Have you tried restarting the Windows 11 client?
GPO software installations are applied at startup and not when a gpupdate is run.
Thanks for watching!
@@danny_moran thank you for respondig so fast. Yes i have tried that multiple times but i keep getting the same message
I've not had that error before, so I can't assist much, unfortunately.
You will probably have to search online to see if anyone else has had this error.
@@danny_moran hopefully i figure it out. Thanks anyway for trying to help.
Just looking at deploying LAPS next year excellent video Danny, is there away to set a password and have it increment
LAPS just generates a random password for each client. I don't think it can be configured in that way.
Thanks for watching!
Again Excellent tutorial @@danny_moran
Can I use LAPS to manage Windows server Admins as well ?
You can use it to manage the local Administrator account on Windows Servers.
Thanks for watching!
I followed all the steps in your video correctly but still can't see the password. I did on winserver 2022 . Please help me ??? Thanks
If you manually check the active directory computer object for one of the workstations, can you see two attributes called ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime? Do they contain data?
Use an account that is a domain administrator to check this to avoid any permission issues. This will confirm if the password is being sent back to active directory.
did you find any solution? same here, followed everything yet it just don't work
How to undo the following command, which is to revoke permission for ou workstation:
Set-AdmPwdComputerSelfPermission -OrgUnit Workstations
I've never tried removing the permissions.
You will need to check the Microsoft documentation to see how it's done.
Thanks for watching!
@@danny_moran I mistakenly granted permission to the OU where the domain controller is located, causing both my only domain administrator account and password to be changed. I checked the official documentation and found no command to revoke the permission. It's quite troublesome to solve this issue.
do we install on all Domain controllers on only one?
You only need to do this on one domain controller.
Thanks for watching!
How would it be to create a custom password and for all computers in the company, doing at once?
I'm not sure I understand your question.
Using LAPS, it creates a random password for the Administrator account on all computers that are within the scope of the Group Policy Object.
Thanks for watching!
@@danny_moran I wanted to create a custom password and change the name of the administardor account of all machines. But the goal is to change the password, but it can not be random but personalized.
I wouldn't change the name of the local Administrator account, but I would use Group Policy and create a policy to disable it.
You can then also use Group Policy to create a new user account with whatever name and password you want and put it in the local Administrators group on the workstations.
Any resource to create a GPO with Software Package?
I haven't created any guides on deploying software using Group Policy.
I generally avoid Group Policy for this, as I have found it to be not very good. I would recommend using some kind of RMM solution or Configuration Manager to do this, as it will give you much more control and visibility.
Thanks for watching!
you know Danny, I appreciate your tutorial and I thank you for the taking the time to help us. So here my questions for you, I followed your guide and my test environment is Windows Server 2022 (Trial), with Windows 11 Pro (fully updated). Both are VM's using Proxmox. Anyway, I installed Windows 11 23h2 AMDX and created my Central Store under \\domain.local\sysvol\domain.local\Policies\PolicyDefinitions and dump it all there, just the ADMX, and en-US ADML with not additional language folder, etc. However in your video, I see that you open LAPS under ComputerConfiguration/Policies/AdministrativeTemplates/LAPS where on my Policy, LAPS is under ComputerConfiguration/Policies/AdministrativeTemplates/System/LAPS and I also do not have the Enable Local Admin Password Management Policy. Should I be using another LAPS ADMX/ADML? I moved my C:\Windows\PolicyDefinitions LAPS ADMX/ADML to the SYSVOL\DOMAIN.LOCAL\Policies\PolicyDefinitions folder, and nothing has changed.
Your thoughts?
Danny, I put 2 and 2 together. You're using local Group Policy - While I was using AD Group Policy. I found it. What are you thoughts anyway, LAPS cannot be done under AD Group Policy, or am I saying this incorrect? I was reading about Windows LAPS versus Microsoft LAPS, did I just installed Microsoft LAPS?
No wait, I think I am doing this all wrong, lol. Why would I need to use GPEDIT.MSC, and not the Group Policy Management? Laps is not found in the Group Policy Management, but only in the Local Group Policy Editor.
Nevermind, I figured it all out, lol - Thank you everyone. :D. Everything works, TY Danny. (Subscribed)
Glad you've managed to get it working. Thanks for watching!
Your thoughts on SCCM? That is my next project in my test environment along with split DNS, RDS, Bit Locker encryption/Decryption GPO, etc.. I’m preparing for ROOT CA also. If you have any good videos on these, let me know. Thank you.
Man i followed same steps which you performed but when we are checking password password is not coming
If you manually check the active directory computer object for one of the workstations, can you see two attributes called ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime? Do they contain data?
Use an account that is a domain administrator to check this to avoid any permission issues. This will confirm if the password is being sent back to active directory.
bro can this aplly in windows 2012 server r2 ?
Yes, this works on Windows Server instances.
Thanks for watching!
IS dangerous then whoever admins in dc can get others domain dc
I'm not sure what you mean by this. Can you confirm what you mean?
Messed up i assigned the policy at the root of domain and locked myself out of my test environment 😂🤦🏻♂️
I have a guide on resetting the domain administrator account: th-cam.com/video/69b_1QM1D-g/w-d-xo.html
I thought it was Michael Owen talking then 😁
erm... thanks...? haha
Thanks for watching!
I have a few questions. Once deployed could you install the LAPS UI onto a workstation for convenience for retrieving passwords, rather than connecting to the DC each time?
Also do you happen to know if this version of LAPS suitable in an environment where devices are hybrid joined to AzureAD?
Yes, you can install the application on a workstation and use that to retrieve the passwords without logging into a domain controller.
LAPS works with Hybrid Azure AD joined devices but not with fully joined devices.
Microsoft are working on Windows LAPS which will work with fully AAD devices: learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-azure-active-directory
I have a few questions if I may?
Does the OU you apply the powershell commands to need to be a unique name across AC or can you just type in the Distinguished name path to the folders? I have multiple OU's called 'workstation' for example.
If for some reason I had to reinstall my primary domain controller, can I still see the passwords somewhere or is it encrypted l and would reinstalling LAPS allow me to just see them again?
You can use the Distinguished Names when running the commands.
As the passwords are stored as an attribute in the active directory comuter unit, the passwords are replicated to all domain controllers within the domain.
Why is this useful?
LAPS provide a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolve this issue by setting a different, rotated random password for the common local administrator account on every computer in the domain.
LAPS simplifies password management while helping customers implement additional recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer's local administrator account in AD, secured in a confidential attribute in the computer's corresponding AD object. The computer can update its own password data in AD, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.
Thanks for watching!
What does laps do to disabled local administrator, in a host where you have more than one local administrator account . Does it only include the active one?
LAPS can only manage one account. By default, it managed the local built-in Administrator account. Even if the account is disabled, it still manages the password.
Thanks for watching!
@@danny_moran So can i choose wich account?
Yes, you can specify a different account.
There is a GPO setting in the same folder which lets you select a different account instead of the local administrator account.
@@danny_moran Thanks alot. It was important to me because in my envoirnment i have disabled the local build in administrators account and created anther local aministrator colled LapsAdmin for each pc including servers.