Now we reach the final stretch - the domain configuration is complete, we’ve installed the client side extensions on our workstations or servers, now they just need a policy that tells the CSE what to do!
Installing the Administrative TemplatesThere are generally two options for GPO ADMX files - either you have a central store, or you have a local copy. If you don’t have a central store - I highly recommend that you set one up. Microsoft provides good instructions HERE. You’ll know you have a central store if when editing GPOs you see the following:
If you don’t see that message, you have a local store which requires less steps for this particular process - but requires you perform them on any machine you wish to manage LAPS policy from.
Run the installer we downloaded previously (for whatever processor architecture you are running) from the machine you will be administering policy from (less important if you have a central store) and walk through the installer. You can add the “Fat client UI” at this point too if you want (we’ll use it later in this post) otherwise you only need the “GPO Editor templates”:
If you are using a local store, your installation is complete. If you’re using a central store you need to copy the following files to your central store:
Creating the GPOOpen up a workstation with access to the group policy management console. If you’re an organization that has implemented AGPM (Advanced Group Policy Management), your policy creation steps will be different than described here. You can read more about AGPM in THIS series.
In the group policy management console, create and link a new GPO (or you may use an existing GPO) to the OU that contains the computers you wish to manage. If you’re deploying the CSEs via group policy software installation you may prefer to use that GPO for this as well.
Edit the policy and drill down to Computer Configuration > Policies > Administrative Templates > LAPS. There are only 4 policies here:
- Password Settings: allows you to set parameters for your admin passwords including length, complexity, and maximum age.
- Name of administrator account to manage: if you have a special administrator account name, you will need to configure this policy - otherwise do not configure it.
- Do not allow password expiration time longer than required by policy: this references the ability in the AdminUI console to set a date. If you enable this policy by default the CSE will only set the expiration to the maximum age as defined in policy #1, if you disable or do not configure you could set an expiration to longer than the max age.
- Enable local admin password management: This enables the CSE to manage the local account. It needs to be enabled for LAPS to function.
Validating it’s Working!This is it - the final push. Run the installer we downloaded previously (for whatever processor architecture you are running) from the machine you will be viewing passwords from. This time around we’re going to install the “Fat client UI”. Once the fat client is installed, you will find “LAPS UI” in your start menu in a folder called LAPS. Run it as a user who has access to view the passwords (as we configured in part 1).
Now type a computer name into the ComputerName field and press “Search”… Voila! If your result looks similar, then you’ve properly installed and configured LAPS!
If it does not look like this - you may want to run “gpupdate /force” on a workstation with the CSE installed to see if group policy just hasn’t replicated yet.
Now you can set a new expiration for the password if you want. If you set it to a date in the past it will automatically change on the next policy refresh cycle.
We’re officially done with LAPS! Give yourself a pat on the back knowing that your local admin passwords are a bit more secure. If you had any problems or questions with this three part guide, leave me a comment below and I’ll be happy to help you out. As always, happy admining!