How to Configure Group Policy for LAPS

The post details the steps to configure Group Policy for LAPS. This is the third and final post that covers the group policy configuration of LAPS.

In this post we will modify some of the group policy settings related to LAPS. We know that LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL. Hence only eligible users can read it or request its reset.

In my previous posts, we have covered two important topics. First one is how to install and deploy Microsoft LAPS software and second how to configure Active Directory for LAPS. You can access both the posts by clicking on the below links.

How to Configure Group Policy for LAPS

To configure group policy for LAPS

  • Launch the Group Policy Management console.
  • Right click the OU where your domain computers are present.
  • Click Create a GPO in this domain and link it here.
  • Specify a group policy name such as “LAPS” and click OK.
  • In the next step edit the GPO.

How to configure Group Policy for LAPS

The LAPS settings are located under Computer Configuration > Administrative Templates > LAPS. You can see four settings present. We will configure the ones that are required.

How to configure Group Policy for LAPS

Right click the policy setting Enable local admin password management and click properties. As we want to manage the local administrator password, we will enable the policy setting. Click OK.

How to configure Group Policy for LAPS

LAPS Password Settings

Next edit the password settings policy. By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days.

You can change the values to suit your needs by editing a Group Policy. You can change the individual password settings to fit your needs. Click OK.

Administrator account name – If you have decided to manage custom local Administrator account, you must specify its name in Group Policy. I haven’t configured this policy setting.

Protection against too long planned time for password reset – If you do not want to allow setting planning password expiration of admin account for longer time than maximum password age, you can do it in GPO.

How to configure Group Policy for LAPS

If you want to view the password settings of a computer using the powershell, Get-AdmPwdPassword will help you.

  • Import-Module AdmPwd.PS
  • Get-AdmPwdPassword -Computername “name of computer

What happens if a user who hasn’t been granted rights to see the local Administrators password tries to access it?.  If they were to gain access to the GUI interface the password won’t be displayed.

How to configure Group Policy for LAPS

For GUI users there is a cool way to find the password settings. Run the AdmPwd.UI file as administrator. This file is located under C:\Program Files\LAPS folder.

In the LAPS UI window, enter the computer name and click Search. In addition to the password, the expiry information is also visible.

How to configure Group Policy for LAPS

Peform gpupdate on the client machines. Now look at the properties of the computer object and see the new settings. The password is visible (plain text).

How to configure Group Policy for LAPS

You might also like

5
Leave a Reply

4 Comment threads
1 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
newest oldest most voted
Ajay

If computer is out of network for very long time and rarely visits corporate network, how the password is getting changed in that case.

Elvis

It is not the best way to apply GPO to the domain.
Use dedicated OU for applying LAPS. I think that some servers like DCs should not be a part LAPS clients. Of course another reason is because you need test before you apply LAPS to entire organization – and apply GPO to entire domain is wrong once again. Be careful!

Christian

I thought this exactly so I created my policies where my computers, laptops, tablets etc. are stored – nowhere near any of my servers.

NotYourRegularJoe

Hi Prajwal, I tried this and completed the setups as per your guides, when I lookup a password I do get a value but for what account will that be? Not sure I understand this very las t part, I thought it would be the local Administrator account, I set a predefined password manually but the results are different, Tried using the password from LAPS with Administrator user name and it wouldn’t log me in. Can you assist?

NotYourRegularJoe

Hi Prajwal, I tried this and completed the setups as per your guides, when I lookup a password I do get a value but for what account will that be? Not sure I understand this very las t part, I thought it would be the local Administrator account, I set a predefined password manually but the results are different, Tried using the password from LAPS with Administrator user name and it wouldn’t log me in. Can you assist?

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More