How to Configure Group Policy for LAPS

The post details the steps to configure Group Policy for LAPS. This is the third and final post that covers the group policy configuration of LAPS.

In this post we will modify some of the group policy settings related to LAPS. We know that LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL. Hence only eligible users can read it or request its reset.

In my previous posts, we have covered two important topics. First one is how to install and deploy Microsoft LAPS software and second how to configure Active Directory for LAPS. You can access both the posts by clicking on the below links.

How to Configure Group Policy for LAPS

To configure group policy for LAPS

  • Launch the Group Policy Management console.
  • Right click the OU where your domain computers are present.
  • Click Create a GPO in this domain and link it here.
  • Specify a group policy name such as “LAPS” and click OK.
  • In the next step edit the GPO.

How to configure Group Policy for LAPS

The LAPS settings are located under Computer Configuration > Administrative Templates > LAPS. You can see four settings present. We will configure the ones that are required.

How to configure Group Policy for LAPS

Right click the policy setting Enable local admin password management and click properties. As we want to manage the local administrator password, we will enable the policy setting. Click OK.

How to configure Group Policy for LAPS

LAPS Password Settings

Next edit the password settings policy. By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days.

You can change the values to suit your needs by editing a Group Policy. You can change the individual password settings to fit your needs. Click OK.

Administrator account name – If you have decided to manage custom local Administrator account, you must specify its name in Group Policy. I haven’t configured this policy setting.

Protection against too long planned time for password reset – If you do not want to allow setting planning password expiration of admin account for longer time than maximum password age, you can do it in GPO.

How to configure Group Policy for LAPS

If you want to view the password settings of a computer using the powershell, Get-AdmPwdPassword will help you.

  • Import-Module AdmPwd.PS
  • Get-AdmPwdPassword -Computername “name of computer

What happens if a user who hasn’t been granted rights to see the local Administrators password tries to access it?.  If they were to gain access to the GUI interface the password won’t be displayed.

How to configure Group Policy for LAPS

For GUI users there is a cool way to find the password settings. Run the AdmPwd.UI file as administrator. This file is located under C:\Program Files\LAPS folder.

In the LAPS UI window, enter the computer name and click Search. In addition to the password, the expiry information is also visible.

How to configure Group Policy for LAPS

Peform gpupdate on the client machines. Now look at the properties of the computer object and see the new settings. The password is visible (plain text).

How to configure Group Policy for LAPS

Need Assistance?

Send us a message or post your question in forums.

9 thoughts on “How to Configure Group Policy for LAPS”

    • You will need to import it..
      First install the LAPS Software from the Microsoft site. Next go to: C:\Windows\PolicyDefinitions and copy:
      AdmPWD.admx
      Paste it in: C:\Windows\SysVol\domain\policies\PolicyDefinitions
      next copy AdmPWD.ADML from the C:\Windows\PolicyDefinitions\en-us
      Into: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US
      Refresh your Group Policy console and reopen the GPO you will see it listed under the Computer configuration\Administrative templates\LAPS

      Reply
  1. Hi Prajwal

    Very insightful guide. Thank you.

    I am having ONE major problem after implementing this in my work environment.

    The ONE attribute ms-Mcs-AdmPwdExpirationTime registers changes when i check against the computer attribute, HOWEVER, the ms-Mcs-AdmPwd does not, and the LAPS GUI reports back that the password has been reset successfuly, when it has not?

    Any ideas pls?

    Would really appreciate your help.

    Thank you

    Kind Regards

    Reply
  2. If computer is out of network for very long time and rarely visits corporate network, how the password is getting changed in that case.

    Reply
  3. It is not the best way to apply GPO to the domain.
    Use dedicated OU for applying LAPS. I think that some servers like DCs should not be a part LAPS clients. Of course another reason is because you need test before you apply LAPS to entire organization – and apply GPO to entire domain is wrong once again. Be careful!

    Reply
    • I thought this exactly so I created my policies where my computers, laptops, tablets etc. are stored – nowhere near any of my servers.

      Reply
  4. Hi Prajwal, I tried this and completed the setups as per your guides, when I lookup a password I do get a value but for what account will that be? Not sure I understand this very las t part, I thought it would be the local Administrator account, I set a predefined password manually but the results are different, Tried using the password from LAPS with Administrator user name and it wouldn’t log me in. Can you assist?

    Reply
    • I am not sure if this applies but from what I gather from this it randomly resets the local admin password and you use the LAPS UI to get that password. I believe it would be the Administrator account for the local machine. I could be wrong.
      Michael

      Reply
  5. Hi Prajwal, I tried this and completed the setups as per your guides, when I lookup a password I do get a value but for what account will that be? Not sure I understand this very las t part, I thought it would be the local Administrator account, I set a predefined password manually but the results are different, Tried using the password from LAPS with Administrator user name and it wouldn’t log me in. Can you assist?

    Reply

Leave a Comment