Skip to content

Latest commit

 

History

History
48 lines (27 loc) · 4.92 KB

readme.md

File metadata and controls

48 lines (27 loc) · 4.92 KB
Raw

Deploying Microsoft LAPS in Enterprise Environments

This instruction documentation goes over how to install Microsoft LAPS in Enterprise environments. Microsoft LAPS is a solution to rotate local administrative passwords on workstations and member servers. Having the same local admin password to all workstations creates a pretty large security risk that opens organizations to compromise. This documentation contains how to extend out the Active Directory Schema, control access via security groups, and automate deployments to workstations and servers.

Do not deploy this to Active Directory Domain Controllers.... I repeat do not deploy this to Active Directory Domain Controllers.

Reference Links

Setting up and preparing your domain for MS LAPS

The following needs to occur on a administrative workstation with Domain and schema admin access.

  1. First we start by aquiring the Microsoft LAPS install file. I have reference the download link in my reference links section.

  2. From our administrative workstation double click on the MSI file you downloaded in the previous step. Make sure to install all modules. They will be needed when you extend your AD Schema and apply group policies for your LAPS configuration.

  3. Important. If you have a change control process please do that before proceeding with this step. This will modify the schema in your active directory domain. Issue these two commands in the screenshot attached. Make sure you do this in an elevated PowerShell session. This will extend you schema with the laps attributes in AD.

  4. Delegate permissions to your workstations/servers and the Organizational unit you want to deploy it to.In this example I am deploying the permissions to the root of my AD container where all my workstations sit. Sub OU's in this container will automatically inherit these permissions. This allows the workstation to update the laps attibute with its new password information.

    • Just a side note that the attirbutes published in step 3 and the computer's ability to update the attributes is a hidden field. Normal end users that have RSAT installed will not be able to see them unless you delegate permissions. I'll get to how to do that in the next few steps.

  5. Next we should find extended rights holders in the OU's you deploy laps to. In this example I am looking at the workstations OU. This is a good audit check to make sure you haven't over delegated permissions to your OU's. By default in a fresh forest this is all you should see is system and domain admins.

  6. Before proceeding with this step you need to create some security groups. I only created one security group to both read and reset laps passwords. I called it "LAPSWorkstationReset". You can get granular and separate Read and Write out between two security groups if you wish.

  7. Create a LAPS Group policy object. You can set how long you want the admin password to be. In this example I set mine to 24 characters that rotate every 30 days. You can also set what you want your complexity to be. Attach this policy to the OU's you delegate permissions to in step 4.

  8. The last step is to create a software installation policy. The LAPS MSI is extremely small. While you could deploy the LAPS MSI into your workstation/server images I prefer the installation policy method. It provides you a way to enforce LAPS to be installed on workstations and member servers. Plus its so easy to audit. I usually attach my software installation policy for LAPS along with my LAPS GPO that I created from Step 7. Notice in this example I am pointing it to a specific DC. Since my lab only has one DC I got specific however you can deploy it from \somedomain.com\NETLOGON\LAPSx64.msi