Deploy Microsoft LAPS – Part1

Deploying the Local Administrator Password Solution Part 1

In this series of three posts, I demonstrate the installation and configuration of Microsoft’s Local Administrator Password Solution (LAPS).

First of all, let’s explain what LAPS is? And what’s LAPS will offer to us?

LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. It’s important to ensure every computer changes their local Administrator password regularly, that it’s unique for every computer, there’s a way to track when it gets changed, and there’s a way to force password changes.

There are two parts to the installation:

  1. The management computers.
  2. The clients you want to manage

GPO CSE: must be present on each managed machine.

Management tools:

  • Fat client UI
  • PowerShell module AdmPwd.PS
  • Group Policy Editor admin templates

The default is to install the Client Side Extension (CSE) only, and the management tools are installed on demand.

Management Computers

Double click on the appropriate MSI installer (LAPS.msi) to get started.

Click Next. Accept the license agreement and click Next

For the first management machine, you should enable all the installation choices for management tools.

Click Next

Click Install

Click Finish.

Managed Clients

This installation uses the same install files, AdmPwd.Setup.x64.msi and AdmPwd.Setup.x86.msi as on the management computers.  

These can be installed/updated/uninstalled on clients using a variety of methods including the Software Installation feature of Group Policy, SCCM, login script, manual install, etc. 

If you want to script this you can use this command line to do a silent install:

msiexec /i <file location>\LAPS.x64.msi /quiet 

or 

msiexec /i <file location>\LAPS.x86.msi /quiet

Change the <file location> to a local or network path. 

Example: msiexec /i \\server\share\LAPS.x64.msi /quiet

An alternative method of installation to managed clients is to copy the AdmPwd.dll to the target computer and use this command:

regsvr32.exe AdmPwd.dll

Note: If you install by just registering the dll it will not show up in Program and Features as shown below.

Once this is installed, you can see it in Programs and Features.

 

Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *