Nathan Ziehnert

2 minute read

Now we reach the final stretch - the domain configuration is complete, we've installed the client side extensions on our workstations or servers, now they just need a policy that tells the CSE what to do!

If you missed the first part of this series you can find it HERE, and the second part is HERE - otherwise continue reading on for the Group Policy configuration and testing of the console.

If you don't see that message, you have a local store which requires less steps for this particular process - but requires you perform them on any machine you wish to manage LAPS policy from.

Run the installer we downloaded previously (for whatever processor architecture you are running) from the machine you will be administering policy from (less important if you have a central store) and walk through the installer.  You can add the “Fat client UI” at this point too if you want (we'll use it later in this post) otherwise you only need the “GPO Editor templates”:

If you are using a local store, your installation is complete. If you're using a central store you need to copy the following files to your central store:

C:\Windows\PolicyDefinitions\AdmPwd.admx C:\Windows\PolicyDefinitions$LANG$\AdmPwd.admx

In the group policy management console, create and link a new GPO (or you may use an existing GPO) to the OU that contains the computers you wish to manage. If you're deploying the CSEs via group policy software installation you may prefer to use that GPO for this as well.

Edit the policy and drill down to Computer Configuration > Policies > Administrative Templates > LAPS. There are only 4 policies here:

Now type a computer name into the ComputerName field and press “Search”… Voila! If your result looks similar, then you've properly installed and configured LAPS!

If it does not look like this - you may want to run “gpupdate /force” on a workstation with the CSE installed to see if group policy just hasn't replicated yet.

Now you can set a new expiration for the password if you want. If you set it to a date in the past it will automatically change on the next policy refresh cycle.

We're officially done with LAPS! Give yourself a pat on the back knowing that your local admin passwords are a bit more secure. If you had any problems or questions with this three part guide, leave me a comment below and I'll be happy to help you out. As always, happy admining!

comments powered by Disqus

Table of Contents