Scribd Logo
Carica

Benvenuto in Scribd!

  • Configuring LAPS Part 2

    Caricato da

    munivenkat
    59 visualizzazioni14 pagine
    Simple document from Microsoft on How to configure LAPS. Part 2 of 2

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOCX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Simple document from Microsoft on How to configure LAPS. Part 2 of 2

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    59 visualizzazioni14 pagine

    Configuring LAPS Part 2

    Caricato da

    munivenkat
    Simple document from Microsoft on How to configure LAPS. Part 2 of 2

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 14

    Configuring LAPS (Part 2)- Configuring and Deploying

    Group Policy
    This post is the second part of a two-part series on configuring and deploying the
    Microsoft Local Administrator Password Solution (LAPS). The first post covered the
    steps needed to configure Active Directory to support LAPS. That post can be found
    here . This post will cover the steps needed to enable the LAPS functionally on devices.

    (Required) Deploy the LAPS Group Policy Client-


    Side Extension
    LAPS is enabled and configured on devices using Group Policy. However, devices do not
    natively know about the LAPS settings. To have the Group Policy apply correctly, a
    Group Policy Client-Side Extension (CSE) needs to first be deployed to devices. There
    are many ways to get the CSE installed on devices. This example will cover how to
    deploy the CSE using Microsoft Configuration Manager.

    Create an Application to Deploy LAPS

    1. Download the LAPS Installer (This example will cover creating an application to deploy
    the 64-bit LAPS Install)
    1. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899
    2. Copy the msi to the network share that acts as the Configuration Manager source
    directory
    3. Open the Configuration Manager Admin Console and navigate to Software
    Library > Application Management > Applications
    4. Right click on Applications and select Create Application
    5. On the Create Application Wizard window, click the Browse button to select the
    MSI file that was just copied to the network and then click Next
    6.
    7. On the Import Information screen, click Next
    8. On the General Information screen
    a. Optionally, change the name of the application
    b. Verify the installation program command line looks like this
    1. Msiexec /I "LAPSx64.msi" /qn /norestart
    c. In the Install Behavior drop down menu, ensure Install for System is selected
    9.
    10. On the Summary screen, click Next
    11. On the Completion screen, click Close

    Distribute the LAPS Application to Distribution Point(s)

    1. In the Configuration Manager Admin Console, navigate to Software Library >


    Application Management > Applications
    2. Right click on the LAPS application that was created in the previous section and select
    Distribute Content
    3. On the Distribute Content Wizard window, click Next
    4. On the Content screen, click Next
    5. On the Content Distribution screen, click the Add button, then select either a
    distribution point or a distribution point group to distribute the content to, then click
    Next
    6.
    7. On the Summary screen, click Next
    8. On the Completion screen, click Close

    Deploy the LAPS Application

    1. In the Configuration Manager Admin Console, navigate to Software Library >


    Application Management > Applications
    2. Right click on the LAPS application that was created in the previous section and select
    Deploy
    3. On the Deploy Software Wizard window, use the Browse button to select a
    collection of devices to deploy this application to, then click Next
    4.
    5. On the Content screen, click Next
    6. On the Deployment Settings screen, choose weather you want to application to be
    Available (Optional to install through the Software Center) or Required (Automatically
    installed), then click Next
    7.
    8. On the Scheduling screen, select when the application will be installed on devices,
    then click Next
    9.
    10. On the User Experience screen, select how the application should appear in the
    software center and weather or not the application should respect any existing
    maintenance windows, then click Next
    11.
    12. On the Alerts screen, optionally configure deployment alerting, then click Next
    13. On the Summary screen, click Next
    14. On the Completion screen, click Close

    (Required) Configure Group Policy to Deploy LAPS


    Settings
    Group Policy is used to configure LAPS settings and to enable the LAPS functionally on
    targeted devices. The LAPS settings can be added to an existing group policy object,
    however in this example, a new group policy object will be created to deploy the
    settings.

    Install the LAPS Group Policy Administrative Template


    Group policy does not natively know about the LAPS settings. The settings need to be
    pulled from an administrative template.

    1. Log onto the computer where the LAPS management utilities were installed
    1. If the management utilities need to be re-installed, see the first section of the first part
    of this series for instructions on doing so (LINK)
    2. Open a file explorer window and navigate to C:\Windows\PolicyDefinitions
    3. Copy the admx file found in the root of the directory and the AdmPwd.adml file
    found in the en-US subdirectory
    4. Paste the files in the group policy central store
    a. The group policy central store is located at
    \\domain.fqdn\SYSVOL\domain.fqdn\Policies\PolicyDefinitions
    b. If no group policy central store exists, see this TechNet page for instructions on
    creating one – https://support.microsoft.com/en-us/help/3087759/how-to-create-and-
    manage-the-central-store-for-group-policy-administra

    Create a Group Policy Object to Deploy LAPS Settings

    1. Open the Group Policy Management Console with an account that has rights to create
    and deploy group policy objects in the domain
    2. Right click on the Group Policy Objects folder and select New
    3. Name the policy and click OK (In this example the policy is named LAPS)
    4. Right click on the newly created policy and select Edit
    5. In the Group Policy Management Editor window, expand Computer Configuration >
    Policies > Administrative Templates > LAPS
    6. There are 4 settings available
    a. Enable local admin password management – This setting is required for LAPS to
    work. This setting tells the device to randomize its local administrator password
    b.
    c. Password Settings – This setting is required for LAPS to work. This setting tells the
    device what complexity requirements the random password should adhere to. It also
    tells the device how long the password should be and how often the password should
    change.
    d.
    e. Do not allow password expiration time longer than required by policy – This
    setting is optional but recommended. If this setting is not set, the password
    expiration time on a device could manually be set to be longer than the expiration
    period specified in the Password Settings setting.
    f.
    g. Name of administrator account to manage – This setting is optional. By default,
    LAPS will manage the password of the built-in local administrator account. If this setting
    is enabled, an account other than the built-in administrator account can be managed.
    7. Once the settings have been configured, close the group policy management editor
    window
    8. In the group policy management console, right click on the OU that the policy will be
    applied to and select Link an Existing GPO
    9. Select the group policy object that was just created and click OK

    Looking up and Resetting Passwords


    Now that AD has been configured, the Group Policy Client-Side Extension has been
    deployed, and the Group Policy Object has been created, LAPS should be functioning on
    devices. There are two ways to look up passwords for devices, from the properties of
    the computer object in Active Directory or using the LAPS GUI utility.

    Password Lookup in AD

    1. Open the Active Directory Users and Computers console


    2. Navigate to a computer object that has a random password set by LAPS
    3. Right click on the computer object and select Properties
    4. Select the Attribute Editor tab
    5. Find the ms-Mcs-AdmPwd attribute

    6.

    Password Lookup Using the LAPS GUI Utility

    1. Download the LAPS Installer


    a. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899
    2. Run the installer, and at the Custom Setup screen, ensure the Fat Client UI option is
    selected (This will install the LAPS GUI utility)

    3.
    4. Once the install has completed, open the Start menu and select the LAPS UI
    application
    5. In the Window that appears, type the computer name of a device that has a random
    password set by LAPS, then click Search
    6. The password for a given device can be reset by manually entering a new time in the
    New expiration time box and then clicking the Set button

    Password Reset Using PowerShell


    LAPS passwords can also be reset using a PowerShell cmdlet. Here is an example of
    what a password reset command would look like

    Reset-AdmPwdPassword -ComputerName NameOfComputer -WhenEffective


    “11.30.2017 17:00”

    Potrebbero piacerti anche