We’ve all heard of Microsoft LAPS. This stands for Local Administrator Password Solution and is already available from Windows Server 2008 R2. With Microsoft LAPS it is possible to periodically and fully automatically change the password of the local administrator account.
Microsoft recently launched Windows LAPS, as a successor to Microsoft LAPS. A number of new functionalities have been added and it is now also part of the Windows Server operating system (from Server 2019 April Update) and Windows 10 and 11.
In this blog post I will show you what steps are needed to implement and activate Microsoft LAPS and Windows LAPS within a Windows server landscape. We look at legacy operating systems (Windows Server 2008 R2, 2012 R2, 2016) and also the more modern operating systems (Windows Server 2019 and 2022). Of course you see the operation of Microsoft LAPS and Windows LAPS in a hybrid situation.
In my situation, I have built an infrastructure in Microsoft Azure. A domain controller based on Windows Server 2022 and five servers based on Windows Server 2008 R2, 2012 R2, 2016, 2019 and 2022.
- mss-dc01 / Windows Server 2022 / domain controller
- mss-2008 / Windows Server 2008 R2 / Member server
- mss-2012 / Windows Server 2012 R2 / Member server
- mss-2016 / Windows Server 2016 / Member server
- mss-2019 / Windows Server 2019 / Member server
- mss-2022 / Windows Server 2022 / Member server
The entire environment was rolled out with terraform (Infrastructure as Code), so the foundation was built up in a few minutes.
The steps I went through are.
- Extend the Active Directory Schema for Microsoft LAPS (legacy)
- Extend the Active Directory Schema for Windows LAPS
- Set the right permissions for the computer object to perform a password reset
- Create and configure group policies for Microsoft and Windows LAPS
- Verify the new LAPS configuration in real live
Extend the Active Directory Schema
The first step is to prepare your Active Directory environment for Microsoft and Windows LAPS. Download the Microsoft LAPS installer from the Microsoft website and install the tooling.
For Windows Server 2008 R2, 2012 R2, 2016 (legacy)
Update-AdmPwdAdSchemaFor Windows Server 2019 (April Update and higher) and 2022
Update-LapsADSchema
Configuring the right permissions for the computer objects
A crucial step in the configuration is setting the right permissions for the computer objects to perform the password reset. You need the DN of the organization unit where your computer objects are located. In my environment, all the servers (legacy and new) are located in the OU ‘Resources / Servers’. If your have multiple OU’s, you need to run the command for every OU. Running the command on top level, all the permissions are inherited to the below OU’s.
For Windows Server 2008 R2, 2012 R2, 2016 (legacy)
Set-AdmPwdComputerSelfPermission -Identity ‘DN of the organizational unit’For Windows Server 2019 (April Update and higher) and 2022
Set-LapsADComputerSelfPermission -Identity ‘DN of the organizational unit’
Create new group policies
Okay, so now the Active Directory Schema and permissions are prepared. The next step is to setup the group policy objects. We need two different policies, because Microsoft LAPS and Windows LAPS have there own settings. Let’s take a look at the Microsoft LAPS group policy settings.
For Windows Server 2008 R2, 2012 R2, 2016 (legacy)
Computer Configuration / Administrative Templates / LAPS
Because all of my servers are in the same organization unit and they need different group policies, I’ve created a WMI filter that filters based on the operation system.
Select Name From Win32_OperatingSystem Where Name Like ‘%Windows Server 2008%’ Or Name Like ‘%Windows Server 2012%’ Or Name Like ‘%Windows Server 2016%’
The legacy server ‘mss-2008’ is joined to the domain. Let’s see what is happening when we active the new GPO.
The same thing for Windows Server 2012 R2 and 2016.
To view the newly applied password, you can use the LAPS UI tool, but you can also open the Attribute Editor in Active Directory Users & Computers. Look for the attribute ‘ms-Mcs-AdmPwd’.
What about Windows Server 2019 and 2022?
Within Windows Server 2019 (April Update) and 2022, Microsoft LAPS in built-in by default. You don’t need to install some agents or extenstions. Also, within the Event Viewer, you can find some LAPS logging to see if all the configuration is working fine.
I’ve joined to newly created servers to my Active Directory environment called ‘mss-2019’ Windows Server 2019 and ‘mss-2022’ Windows Server 2022.
I’ve created a WMI filter that filters based on the operation system.
For Windows Server 2019 (April Update and higher) and 2022
Select Name From Win32_OperatingSystem Where Name Like ‘%Windows Server 2019%’ Or Name Like ‘%Windows Server 2022%’
Next step is to create a group policy for the modern operating systems.
For Windows Server 2019 (April Update and higher) and 2022
Select Name From Win32_OperatingSystem Where Name Like ‘%Windows Server 2019%’ Or Name Like ‘%Windows Server 2022%’
When opening Active Directory Users & Computers, you see directly the ‘LAPS’ tab. Here you can find the local admin usersname and the newly applied password. And yes, you can login with the new account!!
Wrap up
In this post we’ve succesfully prepared our environment for Microsoft LAPS (legacy) and the new Windows LAPS. We’ve configured the right group policies (these are my own settings! Review and choose you’re own baseline).
After the GPO’s are applied, the new settings are live and we can sign-in with RDP to our Windows servers. Hopefully this blogpost was usefull! If you have any questions or comments, please feel free to reach out to me.