Deploying the Local Administrator Password Solution Part 2
Written on May 6, 2015

In this series of three posts, I demonstrate the installation and configuration of Microsoft’s Local Administrator Password Solution (LAPS). This is the second post that covers configuration of Active Directory to support LAPS. For links to parts 1 and 3, see the bottom of this post.

Configuring Active Directory for LAPS

Extend the AD Schema

In the last post, we configured the client installation. While there is no server-side software to run as far as ensuring the system operates, there are a number of changes required to Active Directory in order to allow for secure password storage against a computer object. As part of this, we’ll be adding two attributes to Active Directory’s computer class:

In part 1, you would’ve installed the LAPS management tools onto a computer. Connect to this computer as a member of the Schema Admins Active Directory group. Open an elevated Windows PowerShell prompt and import the AdmPwd.PS module:

AD-1

Once imported, you must extend the AD schema using the Update-AdmPwdADSchema cmdlet:

AD-2

Configure Active Directory Permissions

By default, the vast majority of Active Directory computer object properties can be read by any user with Domain Users privileges or above. If we’re storing local administrator passwords, this isn’t necessarily a desired situation. Let’s dig into AD and restrict who can actually view this newly created ms-Mcs-AdmPwd attribute:

  1. Open ADSIEdit.msc
  2. Right click the ADSI Edit node and choose Connect to….
    AD-3
  3. Ensure Default naming context is selected and click OK
    AD-4
  4. Drill down the tree to find the organizational unit that contains your computer objects
    AD-5
  5. Right click the OU and select Properties
    AD-6
  6. On the Security tab, choose Advanced
    AD-7
  7. For each non-administrative group that currently has it checked (if any), remove the All extended rights permission:
    AD-8
  8. Next, grant computers the ability to update their password attribute using Set-AdmPwdComputerSelfPermission
    AD-9
  9. Now it’s time to grant rights to users to allow them to retrieve a computer’s password. I’m going to use two different groups for this, one for servers and one for clients:
    AD-10

What Else?

Comments/questions

There's no commenting functionality here. If you'd like to comment, please either mention me (@[email protected]) on Mastodon or email me. I don't have any logging or analytics running on this website, so if you found something useful or interesting it would mean a lot to hear from you.