In this post we will see how to configure Group Policy for LAPS. This is the third and final post that covers the group policy configuration of LAPS. In this post we will change some of the group policy settings related to LAPS. The Local Administrator Password Solution (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. In my previous posts, we have covered on how to install and deploy Microsoft LAPS software and how to configure Active Directory for LAPS. You can access both the posts by clicking on the below links.
How to configure Group Policy for LAPS
Launch the Group Policy Management console. I prefer to create a new policy to apply the password settings. Right click on the OU where your domain computers are present and click on Create a GPO in this domain and link it here. Specify a name to this GPO and click OK. Next, edit the GPO.
The settings are located under Computer Configuration > Administrative Templates > LAPS. You can see that there are 4 settings present. We will configure the ones that are required.
Right click on the policy setting Enable local admin password management and click properties. As we want to manage the local administrator password, we will enable the policy setting. Click OK.
The second policy setting that we will be enabling will be password settings. By default this solution uses a password with maximum password complexity, 14 characters and changes the password every 30 days. You can change the values to suit your needs by editing a Group Policy. You can change the individual password settings to fit your needs. Click OK.
Administrator account name – If you have decided to manage custom local Administrator account, you must specify its name in Group Policy. I have not configured this policy setting.
Protection against too long planned time for password reset – If you do not want to allow setting planning password expiration of admin account for longer time than maximum password age, you can do it in GPO.
If you want to view the password settings of a computer using the powershell, Get-AdmPwdPassword will help you.
Get-AdmPwdPassword -Computername “name of computer“
What happens if a user who hasn’t been granted rights to see the local Administrators password tries to access it? If they were to gain access to the GUI interface the password won’t be displayed.
For GUI users there is a cool way to find the password settings. Run the AdmPwd.UI file as administrator. This file is located under C drive > Program Files > LAPS folder. In the LAPS UI window, enter the computer name and click Search. The password is shown and with expiry information.
Once everything is configured, and Group Policy has refreshed on the clients, you can look at the properties of the computer object and see the new settings. The password is stored in plain text.