Managing Local Administrator Passwords on Windows Workstations

Microsoft offers the Local Administrator Password Solution (LAPS) to allow administrators to set random and unique passwords on each workstation/server joined to active directory. This tool works by installing a small application on the client machine and then configuring a GPO to apply the specific settings for the password format and expiration intervals. Below are the steps required to configure LAPS.


Server Setup 

1. Download LAPS from https://support.microsoft.com/en-us/kb/3062591
2. Run the install on your management workstations and select the three items under the management tools and select next to complete the install.
3. Next run the following command to extend the schema to add the ms-Mcs-AdmPwd & ms-Mcs-AdmPwdExpiration attributes to the computer objects class

4. Next run the following command to set the permission to allow the computer account to update itself and allow domain admins to reset the password.

• Set-AdmPwdComputerSelfPermission -OrgUnit
• Set-AdmPwdReadPasswordPermission -OrgUnit -AllowedPrincipals "\Domain Admins"
• Set-AdmPwdResetPasswordPermission -OrgUnit -AllowedPrincipals "\Domain Admins"

5. Next open your GPO and Navigate to Computer Configuration\Administrative Templates\LAPS
6. At a minimum you will need to enabled the Password Settings and enable local admin password management setting

Workstation Setup

1. on the managed client run the laps.x64.msi executable and this time only select the first option "AdmPwd GPO Extension" and complete the install

2. Refresh group policy on the machine to apply the new policy.

Viewing the Password

- You have 3 options to view the password

- On the machine that you installed the AdmPwd.ps powershell module run the following command:

get-admpwdpassword -computername

From Active Directory Users and computers open the computer object and select the Attribute Editor tab and scroll down to ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpiration.

- The last option is to use the LAPS UI GUI client that is installed with the management tools. This tool can be found on the start menu of the machine you installed the management tools on.

Troubleshooting Tips

I installed the product on Windows 2008 R2 and when trying to load the powershell module i discovered that i needed to download and install two additional software updates to get around the error below.

1. http://go.microsoft.com/fwlink/?LinkID=242919
2. http://go.microsoft.com/fwlink/?LinkID=240290