This post covers the steps to configure Active Directory for LAPS. In short we will prepare our Active Directory for implementing LAPS.
In my previous post, we saw how to install and deploy Microsoft LAPS. We installed the LAPS on management computer and using the GPO we deployed the local administrator password solution to the client machines.
First of all the Active Directory Schema must be extended by two new attributes. These store the password of the managed local Administrator account for each computer. In addition ot that the time-stamp of password expiration is also stored. We will update the Schema by importing the PowerShell module.
How to Configure Active directory for LAPS
To configure Active Directory for LAPS, you must first extend the AD Schema. Most of all ensure that the user account that you use for this process should be a member of Schema Admins Active Directory group.
- ms-Mcs-AdmPwd – Stores the password in clear text
- ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password
Update the Schema using PowerShell
To update the Schema you first need to import the PowerShell module. Open up an Administrative PowerShell window and enter the below command:
Update-AdmPwdADSchema (This command updates the schema)
In the next step we will grant computers the ability to update their password attribute using the Set-AdmPwdComputerSelfPermission command.
In this example I have got the client computers in “Comps OU”. The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so that the machine can update the password and expiration timestamp of its own managed local Administrator password. You may need to run Import-module AdmPwd.PS if this is a new window.
Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>
Repeat this procedure for any additional OUs that contain computer accounts.
Removing the extended rights
In the next step you must restrict the ability to view the password to specific users and groups. Therefore remove “All extended rights” from users and groups that don’t require to read the value of attribute ms-Mcs-AdmPwd. This is required because the All Extended rights/permissions permission also gives permission to read confidential attributes.
If you want to do this for all computers just repeat the next steps on each OU that contains those computers. You may skip this on sub-containers of already processed OUs unless you have disabled permission inheritance.
1. Open ADSIEdit
2. Right click the OU that contains the computer accounts that you are installing this solution on and select Properties.
3. Click the Security tab.
4. Click Advanced.
5. Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit.
6. Uncheck All extended rights.
To quickly find which security principals have extended rights to the OU you can use PowerShell cmdlet. You may need to run Import-module AdmPwd.PS if this is a new window.
Find-AdmPwdExtendedrights -identity “OU NAME”
In the next step we will grant rights to users to allow them to retrieve a computer’s password. We will use Set-AdmPwdReadPasswordPermission command to do this.
Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>