Step by Step - Installing Microsoft LAPS
Microsoft LAPS stands for Local Administrator Password Solution. It is a free tool provided by Microsoft that helps organizations to secure the local administrator accounts on their Windows-based computers. This article defines what is LAPS and how to install it in your domain environment step by step.
LAPS is designed to randomly generate and securely store unique passwords for the local administrator account on each computer in an organization. By using LAPS, you can improve your security posture by eliminating the use of common, easily guessed local administrator passwords across their entire fleet of computers.
With LAPS, you can easily manage and rotate the passwords of local administrator accounts across your organization, ensuring that these accounts are protected against unauthorized access. LAPS also provides audit capabilities that allow you to track when passwords were changed and who made the changes.
Here are ome other reasons to keep and change local passwords on a regular basis:
-
Security: Local passwords provide a way to access sensitive data and resources on a device. If an attacker gains access to a local account with a weak or compromised password, they can gain unauthorized access to sensitive data and resources on the device, as well as other devices that may be connected to the network. By keeping and changing local passwords on a regular basis, organizations can reduce the risk of unauthorized access and data breaches.
-
Compliance: Many regulations and standards, such as PCI DSS and HIPAA, require organizations to implement password policies that include regular password changes. Failure to comply with these requirements can result in fines and other penalties.
-
Best practices: Keeping and changing local passwords on a regular basis is considered a best practice in cybersecurity. It is a simple yet effective way to improve security and reduce the risk of unauthorized access.
-
Employee turnover: When employees leave an organization, it is important to change local passwords to prevent former employees from accessing sensitive data and resources. By changing local passwords on a regular basis, organizations can reduce the risk of unauthorized access even if an employee's departure is not planned.
Step 0 - Download Microsoft LAPS from official website:
Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center
Step 1 - Run LAPS.x64.msi Windows Installer to start installing. Hit next and accept the license agreemet.
Step 2 - Select the features to install. Since we are going to deploy LAPS via GPO, it is better to select all the features. After that complete the installation.
Step 3 - Check the LAPS Folder in Program Files and you should see the folder like:
Step 4 - Run Powershell as Administrator and enter these 2 commands to Extend Domain Schema:
Step 5 - Write the below command to apply LAPS to your OU:
Step 6 - Create a new GPO for LAPS and edit the name of it:
Step 7 - Edit the settings according to your organization policies:
Step 8 - Link the created GPO to targetted OU.
Step 9 - To see the password:
- Run Get-AdmPwdPassword -ComputerName 'ComputerName' command.
- Open Active Directory Users and Computers and go to the "Attribute Editor" tab and look for "ms-Mcs-AdmPwd "
- Run AdmPwd.UI.exe and search for the Computer.
What's Your Reaction?
