In order to rotate your Windows admin passwords, you must first create a new password. You can do this by opening the Command Prompt as an administrator and running “net user newpassword /active:yes”. After that command is run, go ahead and try to log in with your old username (the one you want the password for) but use the new password instead of it!
Microsoft LAPS is a tool that allows users to rotate their passwords for Windows Admin accounts. It also has the ability to generate strong passwords and even change the password in place. The tool is no longer supported by Microsoft, but it can still be used with some limitations.
What are your existing procedures for dealing with local Windows administrator passwords? Every Windows system has one, and they hold the keys to each computer’s kingdom. Because local admin passwords aren’t part of Active Directory (AD), you’ll have to handle each account individually on each device. It’s inconvenient.
Many times, businesses don’t give it much thought and simply set a standard administrator password on each Windows machine. Although convenient, this practice exposes organizations to a much larger problem if that one, master password falls into the wrong hands. Having a distinct local administrator password on each computer does not prevent a malevolent user from accessing one machine, but it does significantly reduce lateral exploitation of other computers.
LAPS (Local Administrator Password Solution) from Microsoft may assist.
In this post, you’ll discover how to set up LAPS to protect your AD-connected devices.
What is Microsoft LAPS, and how does it work?
LAPS is a critical component in maintaining the security of a Windows system. LAPS is a sophisticated program that automatically randomizes the local administrator password on all domain machines that have LAPS enabled and updates it on a regular basis.
LAPS guarantees that local administrator credentials are randomized throughout your domain, preventing lateral movement by hackers and viruses. You may believe that a lengthy local administrator password on the client would protect you from this, however this is not the case.
Hackers may utilize the Pass-The-Hash approach to propagate quickly over your domain, and they may even find a domain admin credential using the same way. LAPs avoids this by requiring malevolent users to figure out a password for each computer individually.
LAPS in the Real World
LAPS is divided into three sections:
Attributes of AD that have been locked down
ms-Mcs-AdmPwd is the location in AD where LAPS saves each local administrator password for each managed machine. LAPS also needs to know when the passwords expire in order to replace them, therefore it keeps the ms-Mcs-AdmPwdExpirationTime AD property. These AD properties are only read/writeable by defined AD principals, such as a group or a user, as well as the password-using computer account.
GPO Configuration
To provision LAPS on a computer and to change the password LAPS also has a set of GPO Configuration. When the GPO is linked to a set of computers, the LAPS settings are distributed to each computer. When the computer applies GPO Configuration, LAPS uses a special DLL file to interpret them.
When LAPS detects that the current date has passed the password’s expiry date, it will:
- Create a new password at random and use it as the local administrator password.
- In AD, update the Ms-Mcs-AdmPwd attribute with the new local administrator password.
- ms-Mcs-AdmPwdExpirationTime is updated with a new expiry date.
The domain computers are kept even more secure by adopting this innovative but easy solution.
Creating LAPS
Enough information, let’s get down to actually seeing what LAPS can do! Creating LAPS is not complicated but does require a few steps you’re going to learn in this tutorial. They are:
- On your admin computer, install the LAPS Management Tools.
- Adding the two custom AD properties LAPS uses to the AD schema.
- Using AD to provide proper credentials to different components.
- Creating the LAPS GPO, which will be used on Windows machines.
- Installing the LAPS GPO Extension on Windows machines that need it.
Once you’ve completed the procedures above, you’ll have a fully working LAPS environment ready to use!
Prerequisites
In this article, you’ll be Creating LAPS for real. If you’d like to follow along, please be sure you meet a few Prerequisites first.
- An Active Directory Domain (2003 and upwards)
- RSAT for Active Directory is installed on a machine running Windows 10 or Server 2012+.
- Have access to a user who is a member of both the AD Domain Admins and the AD Schema Admins groups.
The contoso.com domain will be used in all of the examples in this article.
It’s best to only be a member of the schema admin group when you require the access.
Microsoft LAPS Management Tools Installation
To begin, download and install the LAPS Management Tools on your administrative computer. These management tools will install the LAPS GPO extension (if chosen) as well as the LAPS management tools.
- Begin by downloading and running the LAPS.x64.msi file as an administrator, then clicking Next.
Microsoft LAPS Installation
2. To install both of these components, press Next until you reach the custom setup screen, then choose Management Tools and Entire functionality will be installed on local hard drive. Select AdmPwd GPO Extension if you do not want LAPS to handle your present computer.
Select Management Tools from the drop-down menu.
3. Continue to Next until the installation is complete, then exit the installer.
We can now begin expanding the AD schema and adding our GPOs after installing LAPS GPO extensions (if desired) and its administration tools.
Adding to the AD Schema
LAPS employs two AD properties, ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime, as previously described. These two properties are not included by default in the AD schema and must be added.
- If the account is not already a member of the Schema Admins group, start by adding a member of the Domain Admins group. This will be referred to as your “admin account.”
- Import the AdmPwd PowerShell module by running Import-module AdmPwd in PowerShell as your admin account. PS.
- After you’ve imported the module, use the Update-AdmPwdADSchema command to update the AD schema and add the two AD attributes. The output is seen in the following screenshot.
Admin Account for Powershell
You’ve now added LAPS functionality to our AD schema and are ready to establish permissions in Active Directory.
Permissions in Active Directory Configuration
Each machine must be able to change its local administrator password and AD attribute expiry time. To do so, each computer’s ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime AD characteristics must have self-write permission. Fortunately, the AdmPwd PowerShell module makes the majority of this work simple.
Permitting Machines to Save Passwords
First, make sure that each computer can store their password to the ms-Mcs-AdmPwd AD attribute and that the ms-Mcs-AdmPwdExpirationTime AD property is updated when the password expires. Establish-AdmPwdComputerSelfPermission by organizational unit (OU) is a command in the AdPwd PowerShell module that applies to all child OUs and may be used to set these permissions.
Run Set-AdmPwdComputerSelfPermission -OrgUnit ‘OU=Workstations,DC=contoso,DC=com’ in PowerShell. ensuring that your specified OU and domain name are updated
OU and Domain Name should be updated.
Repeat the following command for each OU in AD that you want LAPS to govern.
Finding Extended Rights to Lock Down AD Attributes
You must audit who has access to verify that only the people and groups you desire have authority to read and reset each computer’s local admin password. You should be aware that “Extended privileges” are only available to accounts that need them.
Run Locate-AdmPwdExtendedRights -OrgUnit ‘OU=Workstations,DC=contoso,DC=com’ | Select -ExpandProperty ExtendedRightHolders with your OU and domain name replaced to find accounts with extended privileges.
CONTOSOjoe-the-admin and CONTOSOMDT-service now have enhanced permissions to the OU Workstations, as seen in the accompanying image.
OU Workstations
The expanded right is required for the MDT-service authorization, but not for joe-the-admin. You must now delete the joe-the-admin privilege.
This method must be repeated for all OUs for which you granted self-write access in a previous phase.
Extended Rights are being removed.
Now that you’ve selected each account from which you want to withdraw extended access, it’s time to take action.
- Open Active Directory Users And Computers and make sure Advanced Features is turned on in the top menu. When you activate advanced features, you’ll be able to view all of the normally concealed OUs, as demonstrated in the picture below.
OUs that are hidden
2. Select Properties from the context menu of the OU on which you wish to remove the extended right.
Remove OU by right-clicking it.
3. Select the Security tab, then select the Advanced option. 4. Locate the account or group for which you wish to remove extended permissions and select it before clicking Remove.
Account Deletion on the Security Tab
5. Repeat steps 1-4 for all principals with enhanced powers as required.
Permission to Read and Reset the Password of the Local Administrator
Now that you’ve ensured that only relevant accounts have extended permissions, you’ll need to establish two AD groups named LAPS Workstations Password Read and LAPS Workstations Password Reset for reading and resetting the local admin password.
It’s worth noting that the group names listed here aren’t required. You are able to call your organization anything you choose.
With a PowerShell console still open with your admin account, enter the following commands to give both AD groups permission to read the local administrator password for computers in the OU Workstations.
PS> Set-AdmPwdReadPasswordPermission -OrgUnit ‘OU=Workstations,DC=contoso,DC=com’ -AllowedPrincipals “LAPS Workstations Password Read” PS> Set-AdmPwdResetPasswordPermission -OrgUnit ‘OU=Workstations,DC=contoso,DC=com’ -AllowedPrincipals “LAPS Workstations Password Reset”
You’ve now enabled the AD groups above to read and reset local administrator passwords for computers in the OU Workstations. You now need to add the administrators or groups required to read or reset the passwords.
Creating a Central Store for Templates for Group Policies
Create a group policy by importing the group policy templates to the PolicyDefinition store to enable LAPS after it has been installed on the PCs. On all domain controllers, the PolicyDefinition store is a folder.
A LAPS GPO that targets domain controllers should never be enabled. It isn’t supported and may result in unforeseen issues.
- Select a domain controller in Active Directory; any domain controller will suffice.
- Ensure that you have a www.contoso.com SYSVOLPoliciesPolicyDefinitions is a kind of SYSVOLPoliciesPolicyDefinitions. If you haven’t already done so, do so right now.
- Copy the contents of C:WindowsPolicyDefinitions on your admin machine (the one where LAPS was installed) to the domain controller’s SYSVOLPoliciesPolicyDefinitions folder.
Developing the GPO
Let’s go on to the Central Store and copy the LAPS GPO templates there (PolicyDefinitions folder).
- Under your admin account, open Management of Group Policies, right-click the OU you wish to activate LAPS in, and then choose Link an Existing GPO…
Management of Group Policies
2. Navigate to Computer Configuration —> Administrative Templates —> LAPS and set Enable local admin password management to Enabled. If you have different requirements for Password complexity, edit the Password Settings accordingly.
Creating a link between GPO and all OUs
You’re almost finished! Now connect this GPO to all OUs where LAPS will be used.
LAPS GPO Extension Deployment
You must now deploy the LAPS GPO extension once the GPO has been deployed to all appropriate OUs with machines. You may install this extension in one of two ways: by using the MSI installer (as demonstrated above) or by registering the LAPS DLL file.
To activate LAPS, execute the following command on every machine within an LAPS-controlled OU if you wish to install the MSI.
> msiexec /q /i \servershareLAPS.x64.msi
If you want to activate LAPS by registering the DLL, use the command below.
> regsvr32.dll \servershareAdmPwd.dll
To perform these instructions on the machines, you may use whatever remote execution tool you have.
Using a GPO to deploy the LAPS MSI
The simplest way to guarantee that the LAPS GPO extension is installed on all machines is to use a GPO.
- Copy LAPS.x64.msi to a network share that all Domain Computers may access.
- Open Management of Group Policies on your admin computer and create a GPO called Install LAPS or something similar.
Install LAPS is a GPO that you may create.
3. Right-click on the Install LAPS GPO, click Edit and navigate to Computer Configuration —> Policies —> Software Settings —> Software Installation.
Installation of LAPS GPO Software
4. Right-click on Software Installation and navigate to New—> Package…
New Package from the GPO
5. Select the share where you copied LAPS.x64.msi, click OK, and then select Assigned.
LAPS.x64.msi has been assigned to you.
6. Finally, connect the GPO to the same OUs that LAPS is set for. You’re now ready to put LAPS to the test!
LAPS testing
Let’s force one of the computers to apply the aforementioned GPO and watch what occurs to confirm that LAPS is operating as intended on the controlled PCs.
- Restart a PC that is part of one of the OUs you’ve just created. Once the machine is back up and running, it should begin installing LAPS.
- After LAPS has been installed, restart the computer and log in as an administrator to a PowerShell console on your admin computer as an account that belongs to the LAPS Workstation Password Read and LAPS Workstation Password Reset AD groups.
- Run the Get-AdmPwdPassword <computername> command using the computer name you had just rebooted and installed LAPS on. If all went well, you will see something similar to the output in the following screenshot.
Output of the LAPS Installation
4. Now try to log into the LAPS-controlled computer with the displayed password above. If it worked, you should be in. 5. Now try to reset the password by running Reset-AdmPwdPassword <ComputerName> and rebooting the computer. See how it changed passwords in the following screenshot?
Password Reset for LAPS
LAPS is now operational in your environment. While the administration is simple, there are a few things you should be aware of…
Tips & Tricks for Using LAPS in Real-Life Situations
While the following arrangement is sufficient for most smaller settings, it may be unsecure or lack the audit level required for bigger enterprises. Here are some pointers on how to make it work in the real world.
1. Enable auditing
It’s crucial to keep track of when someone reads or changes a password, particularly because you may activate alerts if someone reads the password for all machines. Fortunately, the AdmPwd module has a cmdlet that allows us to do precisely that.
PS> Set-AdmPwdAuditing -AuditedPrincipals Everyone -OrgUnit “OU=Workstations,DC=contoso,DC=com”
2. Ensure that no user may read the ms-mcs-AdmPwd AD Attribute directly.
One technique to prevent a user from reading the ms-mcs-AdmPwd AD property is to build a self-service mechanism for retrieving a computer’s local admin password. If you don’t already have a self-service portal, look at solutions like JEA or WebJEA, which aren’t covered in this article.
3. During disk imaging, reset the Ms-Mcs-AdmPwdTime Attribute
When reimaging an LAPS-controlled machine, remember to reset the Ms-Mcs-AdmPwdTime property; otherwise, the image will not trigger the password change and will preserve the local admin password established by the image. It will, however, activate after the Ms-Mcs-AdmPwdTime has passed.
Without the AdmPwd module, you may use the following PowerShell command to reset the ExpirationTime:
# Using RSAT Get-ADComputer Workstation1 | Set-ADObject -Replace @”ms-mcs-AdmPwdExpirationTime”=(Get-Date) with @”ms-mcs-AdmPwdExpirationTime”=(Get-Date) # In the absence of RSAT New-Object DirectoryServices $Computer $Computer.’ms-Mcs-AdmPwdExpirationTime’ DirectoryEntry “LDAP:/CN=Workstation1,OU=Workstations,DC=contoso,DC=com” DirectoryEntry “LDAP:/CN=Workstation1,OU=Workstations,DC=contoso,DC=com” DirectoryEntry “LDAP:/CN=Workstation1,OU=Workstations,DC=contoso,DC=com” DirectoryEnt Clear() $Computer. CommitChanges()
4. Keep in mind that the ms-Mcs-AdmPwd Attribute is archived in the AD Recycle Bin.
When you delete an item in AD and activate the AD Recycle Bin, AD normally eliminates vital properties; fortunately, ms-Mcs-AdmPwd is safe!
5. LAPS Isn’t Designed for Temporary Use
LAPS isn’t designed to allow temporary access to suppliers, users, or other sorts of accounts, as tempting as it may be. Utilize an AD group that is a local admin of that single machine instead of LAPS, and use TimeToLive on group memberships.
Conclusion
You’ve now learnt how to install LAPS, as well as how to define its permissions and some security tips and tactics. In an LAPS-enabled system, all local administrator passwords are changed on a regular basis and automatically. This dramatically minimizes the chances of a domain-joined machine being hacked or infected with malware, and hopefully saves you a lot of time and aggravation.
Please feel free to tweet me at @AlexAsplund or leave a comment below if you have any queries.
The “microsoft laps web interface” is a tool that allows users to rotate their Windows Admin Passwords. This tool can be used on Windows 7, 8 and 10.
Related Tags
- local administrator password solution how to use
- laps powershell commands
- reset laps password powershell
- laps password expires 1/1/0001
- laps powershell module
