Welcome to the post that shows how to configure Active Directory for LAPS. In my previous post, we saw how to install and deploy Microsoft LAPS. We installed the LAPS on management computer and using the GPO we deployed the local administrator password solution to the client machines. In this post we will prepare our Active Directory for implementing LAPS. The Active Directory Schema needs to be extended by two new attributes that store the password of the managed local Administrator account for each computer and the time-stamp of password expiration. We will update the Schema by importing the PowerShell module.
In my previous posts, we have covered on how to install and deploy Microsoft LAPS software. You can access both the posts by clicking on the below links.
How to configure Active directory for LAPS
Let’s see how to configure Active Directory for LAPS. We will first extend the AD Schema. Ensure that the user account that you use for this process should be a member of Schema Admins Active Directory group. The Active Directory Schema needs to be extended by two new attributes that store the password of the managed local Administrator account for each computer and the timestamp of password expiration. Both attributes are added to the may-contain attribute set of the computer class.
ms-Mcs-AdmPwd – Stores the password in clear text
ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password
To update the Schema you first need to import the PowerShell module. Open up an Administrative PowerShell window and use the below command:
Update-AdmPwdADSchema (This command updates the schema)
Once you run the above commands, you will find the status of operation as Success.
In the next step we will grant computers the ability to update their password attribute using the Set-AdmPwdComputerSelfPermission command. In this example I have got the client computers in “Comps OU”. The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password. This is done using PowerShell. You may need to run Import-module AdmPwd.PS if this is a new window.
Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>
Repeat this procedure for any additional OUs that contain computer accounts.
Removing the extended rights – To restrict the ability to view the password to specific users and groups you need to remove “All extended rights” from users and groups that are not allowed to read the value of attribute ms-Mcs-AdmPwd. This is required because the All Extended rights/permissions permission also gives permission to read confidential attributes. If you want to do this for all computers you will need to repeat the next steps on each OU that contains those computers. You do not need to do this on subcontainers of already processed OUs unless you have disabled permission inheritance.
1. Open ADSIEdit
2. Right Click on the OU that contains the computer accounts that you are installing this solution on and select Properties.
3. Click the Security tab.
4. Click Advanced.
5. Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit.
6. Uncheck All extended rights.
To quickly find which security principals have extended rights to the OU you can use PowerShell cmdlet. You may need to run Import-module AdmPwd.PS if this is a new window.
Find-AdmPwdExtendedrights -identity “OU NAME”
In the next step we will grant rights to users to allow them to retrieve a computer’s password. We will use Set-AdmPwdReadPasswordPermission command to do this.
Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>