What is LAPS?
Deploying LAPS (Local Administrator Password Solution) is probably one of the best things you can do for your organization. LAPS is a Microsoft solution to change the local administrator password on every single machine you have it applied to. The best part, is that it’s very dynamic. This means that you can set one Organizational Unit, such as your Servers OU, to 20 character local admin passwords, while keeping your desktop OU, 14 characters. By default, Active Directory changes the passwords every 30 days, and it also has the option to manually reset the password on whatever date you to want to set it to.
Powershell Commands to Deploy LAPS
The deployment of LAPS is pretty simple and straight forward. However, I’ll go over some bullet points to give you a broad overview in Powershell.
- Download the LAPS files from Microsoft’s office Site.
- Install LAPS on an admin PC/Server and install all options. (In my example, I installed it on my Windows 10 PC).
- Import LAPS Module. (Import-Module AdmPwd.PS)
- Extend Active Directory Schema. (Update-AdmPwdADSchema)
- Allow Computers to publish passwords to AD. (Set-AdmPwdComputerSelfPermission -OrgUnit $YourOU)
- Grant Permissions to Groups. (Set-AdmPwdReadPasswordPermission -OrgUnit $YourOU -AllowedPrincipals ‘AD\GroupToReadPasswords’).
You can choose how you want to get the client deployed to machines but in my case I’m going to use SCCM to deploy LAPS. I’ll let the video go over the exact details.
Deploying LAPS via SCCM Video Demo
And that about covers how you can deploy LAPS in your domain using SCCM. You can also deploy the LAPS client through GPO, PDQ or any other means. If you want more awesome sysadmin content, don’t forget to check out theSysadminChannel on Youtube for video demos and how-tos. Also, if you want to further your SCCM knowledge, check out System Center Configuration Manager Current Branch Unleashed