The post details the steps to configure Group Policy for LAPS. This is the third and final post that covers the group policy configuration of LAPS.
In this post we will modify some of the group policy settings related to LAPS. We know that LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL. Hence only eligible users can read it or request its reset.
In my previous posts, we have covered two important topics. First one is how to install and deploy Microsoft LAPS software and second how to configure Active Directory for LAPS. You can access both the posts by clicking on the below links.
How to Configure Group Policy for LAPS
To configure group policy for LAPS
- Launch the Group Policy Management console.
- Right click the OU where your domain computers are present.
- Click Create a GPO in this domain and link it here.
- Specify a group policy name such as “LAPS” and click OK.
- In the next step edit the GPO.
The LAPS settings are located under Computer Configuration > Administrative Templates > LAPS. You can see four settings present. We will configure the ones that are required.
Right click the policy setting Enable local admin password management and click properties. As we want to manage the local administrator password, we will enable the policy setting. Click OK.
LAPS Password Settings
Next edit the password settings policy. By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days.
You can change the values to suit your needs by editing a Group Policy. You can change the individual password settings to fit your needs. Click OK.
Administrator account name – If you have decided to manage custom local Administrator account, you must specify its name in Group Policy. I haven’t configured this policy setting.
Protection against too long planned time for password reset – If you do not want to allow setting planning password expiration of admin account for longer time than maximum password age, you can do it in GPO.
If you want to view the password settings of a computer using the powershell, Get-AdmPwdPassword will help you.
- Import-Module AdmPwd.PS
- Get-AdmPwdPassword -Computername “name of computer“
What happens if a user who hasn’t been granted rights to see the local Administrators password tries to access it?. If they were to gain access to the GUI interface the password won’t be displayed.
For GUI users there is a cool way to find the password settings. Run the AdmPwd.UI file as administrator. This file is located under C:\Program Files\LAPS folder.
In the LAPS UI window, enter the computer name and click Search. In addition to the password, the expiry information is also visible.
Peform gpupdate on the client machines. Now look at the properties of the computer object and see the new settings. The password is visible (plain text).