Comments on: How to Configure Group Policy for LAPS

By: Rob

Rob

You will need to import it..
First install the LAPS Software from the Microsoft site. Next go to: C:\Windows\PolicyDefinitions and copy:
AdmPWD.admx
Paste it in: C:\Windows\SysVol\domain\policies\PolicyDefinitions
next copy AdmPWD.ADML from the C:\Windows\PolicyDefinitions\en-us
Into: C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US
Refresh your Group Policy console and reopen the GPO you will see it listed under the Computer configuration\Administrative templates\LAPS

By: Scott Wojtowicz

Scott Wojtowicz

When I go to add the GP, LAPS is not included in the Administrative Templates. How do I install it?

By: Asif Nasar

Asif Nasar

Hi Prajwal

Very insightful guide. Thank you.

I am having ONE major problem after implementing this in my work environment.

The ONE attribute ms-Mcs-AdmPwdExpirationTime registers changes when i check against the computer attribute, HOWEVER, the ms-Mcs-AdmPwd does not, and the LAPS GUI reports back that the password has been reset successfuly, when it has not?

Any ideas pls?

Would really appreciate your help.

Thank you

Kind Regards

By: Michael Cooper

Michael Cooper

In reply to NotYourRegularJoe. I am not sure if this applies but from what I gather from this it randomly resets the local admin password and you use the LAPS UI to get that password. I believe it would be the Administrator account for the local machine. I could be wrong. Michael

By: Ajay

Ajay

If computer is out of network for very long time and rarely visits corporate network, how the password is getting changed in that case.

By: Christian

Christian

In reply to Elvis. I thought this exactly so I created my policies where my computers, laptops, tablets etc. are stored - nowhere near any of my servers.

By: Elvis

Elvis

It is not the best way to apply GPO to the domain.
Use dedicated OU for applying LAPS. I think that some servers like DCs should not be a part LAPS clients. Of course another reason is because you need test before you apply LAPS to entire organization – and apply GPO to entire domain is wrong once again. Be careful!

By: NotYourRegularJoe

NotYourRegularJoe

Hi Prajwal, I tried this and completed the setups as per your guides, when I lookup a password I do get a value but for what account will that be? Not sure I understand this very las t part, I thought it would be the local Administrator account, I set a predefined password manually but the results are different, Tried using the password from LAPS with Administrator user name and it wouldn’t log me in. Can you assist?

By: NotYourRegularJoe

NotYourRegularJoe