How to install and deploy Microsoft LAPS Software
In this post we will see how to install and deploy the Microsoft LAPS software. The Local Administrator Password Solution (LAPS) provides management of local account passwords of domain joined computers.
When LAPS is implemented, passwords are stored in Active Directory and protected by ACL. So only eligible users can read it or request its reset.
Why do you need LAPS ?. –Â Password management is a complex task especially in big organizations. The LAPS provides a solution to this issue of using a common local account with an identical password on every computer in a domain.
LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
In the next posts we will see how to configure AD for LAPS and Configure GPO for LAPS. You can access both the posts by clicking on the below links.
Imagine a scenario where you have got lot of servers and workstations. When it is not possible to use domain account to log on to server and perform administrative tasks, you are in a big trouble.
Table of Contents
Local Administrator Password Solution (LAPS)
Some scenarios that one could imagine without LAPS :-
a)Â Machine loses connection to corporate network and there is not cached credential with administrative privileges.
b) Machine loses connection with domain or is accidentally dis-joined from domain, so domain credentials cannot be used to log on to the server and repair it.
For this type of support scenarios, support staff needs to know the password of local Administrator account to be able to log on to computer and perform necessary administrative tasks.
Microsoft LAPS Prerequisites
To install Microsoft LAPS, you’ll need at least one management computer, and at least one client computer. In my case I am installing the Microsoft LAPS on my domain controller.
There are some client machines that are part of domain, we will be deploying the LAPS software to these client machines as well.
Supported Operating System
- Client OS – Windows 10, 7, 8, 8.1
- Server OS – Windows Server 2003, 2008, 2008 R2, 2012, 2012 R2
- Active Directory – (requires AD schema extension) Windows 2003 SP1 or later.
- Managed machines: Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.
Note: Itanium-based machines are not supported. - Management tools: .NET Framework 4.0 &Â PowerShell 2.0 or later
Install and Deploy Microsoft LAPS Software
We’ll now install the LAPS fat client, PowerShell module and Group Policy templates on the management computer.
Click this link to download the Microsoft LAPS software. You can download both 64 bit and 32 bit versions.
Once you download the LAPS software, copy the msi files to a shared folder on the server. In my case I have created a shared folder on C drive and all the files downloaded are present there.
Right click on LAPS x64 and click install.
On the LAPS setup wizard, click Next.
We will select all the features to be installed. Click Next.
Click Install.
The LAPS software has now been installed. Click Finish.
Deploying LAPS to the client machines using GPO
We will now configure a GPO to deploy the LAPS software to the client computer. You could also use scripting method to deploy LAPS. If you want to script this you can use this command line to do a silent install:
msiexec /i <file location>LAPS.x64.msi /quiet Â
or
msiexec /i <file location>LAPS.x86.msi /quiet
Just change the <file location> to a local or network path.
Alternative method of installation to managed clients is to copy the AdmPwd.dll to the target computer and use this command:Â regsvr32.exe AdmPwd.dll
Create a GPO to deploy LAPS
Launch the Group Policy Management console, right click on the domain and click Create a GPO in this domain and link it here. Provide a name to the GPO.
Right click the GPO that you just created and click Edit.
In the GPM editor, expand Computer Configuration > Policies > Software Settings. Right click Software Installation and click New > Package.
Browse the path where the files are located, select the LAPS software. Choose the deployment method as Assigned and click OK.
You now see that LAPS x64 has been imported. In case you are adding x86 LAPS, once you add the package be sure to edit the x86 package to uncheck the option Make this 32-bit X86 application available to Win64 machines.
You will find this option when you right click the x86 package > Properties > Deployment. This will ensure that 64-bit computers get the 64-bit DLL, and 32-bit machines get the 32-bit DLL. Close the GPM editor.
To update the policy on the client machines, run the gpupdate command.
On the client machine launch the control panel and click Program and Features. You will find the LAPS entry in the list.
Great post
Do we need to make another server for LAPS? I already have AD. Last time i tried, automatically password has been changed on server.
please guide me. What i need to have to successfully install LAPS
Also note I had to copy my adml & admx into SYSVOl for them to appear.
Hello, you forget about Install the LAPS group policy files? or did I miss that somewhere?
The group policy needs to be installed onto your AD servers.
The *.admx file goes into the “windows\policydefintions” folder and the *.adml file goes into “\windows\policydefinitions\[language]”
Without this they wont appear in the GPEDIT
Thanks for this tip
@brett lutkehus
Use msiexec, it is a great help with that. You can use /quiet switch for your purpose
Or you can use GPO.
(yeah, I know I’m a little late)
Are there install parameter for the installer that allow us to silently install the GUI for all of our helpdesk people? thanks
Hi Prajwal can you give some feedback please.
Feedback on what ?.
Will it work on windows 2012 r2 as well as Windows 2016?
Yes
Do you have to install LAPS on all of your domain controllers or just one? We have 2 domain controllers for one domain. Primary and secondary.
No, you don’t install it on a domain controller. Install it on another computer as an account in the Schema Administrators group. Running the PowerShell commands updates the schema which will replicate across domain controllers.
please explain me, Do i need to have another server for LAPS? i already have a server with AD.
If you are using two domain controllers does LAPS need to be installed on both?