Local Administrator Password Solution - Deployment Guide
What exactly LAPS is?
LAPS is a solution to
change the local administrator password on all domain joined
computers to something complex and changed after certain days.
LAPS was available only to Microsoft Premier agreements, Local Administrator Password Solution (LAPS) has
recently been published for all customers as part of MSA 3062591.
The "Local
Administrator Password Solution" (LAPS) provides a centralized storage of
secrets/passwords in Active Directory (AD) - without additional computers.
Purpose of LAPS
Secure Active Directory
environments by ensuring that all computers have different and complex local
administrator passwords. LAPS creating an attribute against the “COMPUTER” class in
Active Directory. Permissions to allow users
to view this password attribute must be explicitly granted.
https://www.microsoft.com/en-us/download/details.aspx?id=46899)
On the above link you can get MSI package for x86 & x64 architecture along with Datasheet, Operations Guide and Technical Specification Documents.
DEPLOYMENT:
First install LAPS FAT Client UI, Powershell Module on Domain Controller and Create a Group Policy to install LAPS on client computers as described below.
1. Installation of LAPS is very simple. Just run the installer and Click Next
2. Accept the EULA and click Next
3. Click on Drop Down Menu and Select Entire feature will be installed on Local Hard Drive
4. Click Next
5. Click Install
6. Click Finish and It's Done.Now create a group policy to deploy LAPS on client computers.
1.Create a Distribution Point
a. create
a shared network folder (this folder will contain the LAPS MSI package)
b. set
permissions on this folder in order to allow access to the distribution package
c. copy
the MSI in the shared folder
2. Create Group Policy
a. Connect to your domain controller. Go to Start > Administrative Tools > Group Policy Management.
b. Select the domain. After that, select Action > Create a GPO in this domain, and
Link it here....
d. After creating the object, select Action > Edit....
e. Navigate to Computer Configuration >
Policies > Software Settings > Software Installation
f. right-click Software Installation, select
the New context menu and then click on Package
g. in the Open dialog type, the full UNC path of the
shared package you want to assign
h. click on the Open button
i. click on Assigned and then click OK (the
package will be added to the right pane of the "Group Policy" window)
Please make sure that you edit the x86 package to uncheck the Make this 32-bit X86 application available to Win64 machines option. This will ensure that 64-bit computers get the 64-bit DLL, and 32-bit machines get the 32-bit DLL.
j. close the Group Policy snap-in, click OK and
exit the Active Directory Users and Computers snap-in
k. when the client computers start, the assigned package will be
installed automatically.
l. Navigate to Computer Configuration > Policies > Administrative Templates > LAPS
m. Configure the settings as you like.
e.g.
1. Enable local admin password management: Enabled
2. Password Settings: Enabled
a. Complexity: Large letters, small letters, numbers, specials
b. Length: 12 characters
c. Age: 30 days
3. Name of administrator account to manage: Not Configured (this will use the default SID -500
account)
4. Do not allow password expiration time longer than required by
policy: Enabled
Configuring Active
Directory for LAPS
Extend the AD Schema
To
allow for secure password storage of computer objects number of changes
required in Active Directory. LAPS will add below two attributes to Active
Directory’s computer class:
- ms-MCS-AdmPwd - this attribute stores the password itself
- ms-MCS-AdmPwdExpirationTime - this attribute stores the time after which the computer’s password should be changed
Connect to Domain Controller as a member of the Schema Admins Active
Directory group. Open an elevated Windows PowerShell prompt and import the
AdmPwd.PS module & Update AD Schema:
- Import-Module AdmPwd.PS
- Get-Command -Module AdmPwd.PS
- Update-AdmPwdADSchema
Configure Active Directory Permissions
Active Directory computer object properties can be read by
any user with Domain Users privileges or above. So we have to Restrict that
who can view newly created ms-Mcs-AdmPwd attribute.
- Open ADSIEdit.msc
- Right click the ADSI Edit node and choose Connect to….
3. Ensure that Default Naming Context is selected and Click OK
4. Expand the tree to find
the organizational unit that contains computer objects
5. Right click the OU and
select Properties
6. On the Security tab,
choose Advanced
7. Select non-administrative
group and uncheck the All extended rights permission
for each group
8. Grant computers to update
their password attribute using Set-AdmPwdComputerSelfPermission
Set-AdmPwdPasswordPermission
-OrgUnit “Distinguished Name of the OU which has computer objects”
e.g. Set-AdmPwdPasswordPermission
-OrgUnit “OU=Desktops,DC=sampledomain,DC=com”
9. To provide rights to users to allow them to retrieve a
computer’s Administrator user password.
Set-AdmPwdReadPasswordPermission
-OrgUnit “Distinguished Name of the OU which has computer objects”
-AllowedPrincipals “Group Name / User Name”
e.g.
1. Set-AdmPwdReadPasswordPermission
-OrgUnit “OU=Desktops,DC=sampledomain,DC=com” -AllowedPrincipals “Associates”
2. Set-AdmPwdReadPasswordPermission
-OrgUnit “OU=Desktops,DC=sampledomain,DC=com” -AllowedPrincipals “{DomainName\UserName”
10. To grant rights to users to allow them to reset a Computer's password.
Set-AdmPwdResetPasswordPermission
-OrgUnit “Distinguished Name of the OU which has computer objects”
-AllowedPrincipals “Group Name / User Name”
e.g.
1. Set-AdmPwdResetPasswordPermission -OrgUnit
“OU=Desktops,DC=sampledomain,DC=com” -AllowedPrincipals “Associates”
2. Set-AdmPwdResetPasswordPermission -OrgUnit
“OU=Desktops,DC=sampledomain,DC=com” -AllowedPrincipals “{DomainName\UserName}”
That's it.
*******************************************************************************************************************************************************
Comments
Post a Comment