Managing Local Admin Passwords with LAPS
Updated: Mar 28, 2022
What do you do with your local administrator passwords? Spreadsheet on a share or are the passwords the same, the admin account could even be disabled???
LAPS from Microsoft maybe the answer. Its a small program with some GPO settings. LAPS randomly sets the local administrator password for clients and servers across the estate.
Firstly download LAPS from the Microsoft site
Copy the file to the Domain Controller and ensure that the account you are logged on has 'Schema Admin'.
Install only the Management Tools.
As its a DC its optional whether to install the 'Fat Client UI',
Schema updates should always be performed on a DC directly.
Open Powershell and run the following command after seeking approval.
SELF will need updating on the OU's for your workstations and servers.
Add SELF as the Security Principal.
Select 'Write ms-Mcs-AdmPwd
Now change the GPO settings on the OU's.
The default is 14 characters but I would go higher and set above 20.
Install LAPS on a client and select only the AdmPwd GPO Extension
On the Domain Controller open the LAPS UI and search and Set a client.
Once the password has reset open the properties of the client and check the ms-Mcs-AdmPwd for the new password. Now every 30 days the local Admin password will be automatically updated and unique.
Deploy the client with ConfigMgr to remaining estate.
By default Domain Admin have access to read the password attribute and this can be delegated to a Security Group. AND.....this is the warning.....Any delegated privileges that allow delegated Computer management and the 'Extended Attributes' can also read the 'ms-MCS-AdmPwd'.