LAPS – Local Administrator Password Solution is an official Microsoft solution for doing exactly what it’s called – managing local administrator passwords on the computers you manage (both desktops and servers).
The solution is fairly simple – have a tiny client rolled out on each PC, that gets told by Group Policy to generate a random password. The local admin account gets set to that password, and Active Directory also gets told what that password is. That changes on a 30 day cycle
The end result is that anyone who obtains local admin access through that account, can’t access anything beyond that single computer – and, that’s only for 30 days maximum before it gets changed. Even if the computer is taken off the domain, your Active Directory will have a record against the computer of what the last set password was.
There’s a great overview, demo, and install files available from TechNet with Jessica Payne going into great detail on how it all works and showing you exactly what to do which I highly recommend after watching it personally.
As she says, it only takes 10 minutes or so to set up, and it’s that much more secure than using Group Policy to set everyone’s local administrator account to the same password (which by the way, doesn’t securely save the password in the Group Policy anyway) and running into issues when someone needs the local administrator password for one reason or another.
Oh, there is a tiny AD schema update, but it’s a single command and nothing to worry about :)
Once you’ve got LAPS set up, you use the LAPS UI program to view passwords:
Chris Brown has also written up a nice ‘how-to’ guide on setting up LAPS from end to end which is worth following too.
LAPS is easy to deploy, easy to manage and provides several security benefits… and it’s free. If you’re not using LAPS yet, it’s time to do it! Grab it from Microsoft here.
3 thoughts on “Why Haven’t You Deployed LAPS Yet?”
It would be nice to see this solution modified to handle DC’s Recovery Mode passwords.
Still there is no way you can use LAPS with Azure AD Domain Services. Seems like one option is SYNERGIX ADCE for on-prem AD and Azure AD Domain Services.
Valid point, feedback request for this is here https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13849404-azure-domain-services-support-for-laps – vote it up if you want it!