LAPS

LAPS – Local Administrator Password Solution

Background

Local Administrator Password Solution (LAPS) is a Microsoft product that manages the local administrator password and stores it in Active Directory (AD). This solution automatically updates the password on a routine basis. The Microsoft Infrastructure (MI) team has implemented the LAPS schema extensions and created a default set of permissions to retrieve a password stored in AD.

Use of LAPS by Delegated OU customers is required. LAPS is a critical security component that protects computers and  the CSUN network. It is the Delegated OU customer’s responsibility to enable and configure LAPS for client computers, and manage access to the stored passwords. The customer’s side of the LAPS implementation consists of three parts, a client-side extension (CSE), Group Policy Object (GPO) administrative template files (ADMX files) and a GPO to apply desired LAPS settings on computers, and administrative tools used to retrieve the stored password.

How to Implement LAPS

Download the LAPS installation media

  1. Deploy LAPS CSE (client side extensions) to all managed computers.. un setup and choose AdmPwd GPO Extension.  It is not necessary to install any other component on the managed computer. Using the installer has the benefit of the program being visible in add/remove programs.
    1. SCCM application deployment

                                                         i.      \Software Library\Overview\Application Management\Applications\Public-Centrally Managed\Microsoft\Microsoft LAPS Extension 6.2

  1. Deploy LAPS UI (administrator console) to your computer.
    1. SCCM application deployment

                                                         i.      \Software Library\Overview\Application Management\Applications\Public-Centrally Managed\Microsoft\Microsoft LAPS UI 6.2

  1. Deploy GPO "IT-LAPS" to your OU.
  2. Create a ticket requesting access to LAPS password
    1. Provide OU
    2. Provide AD group that contains your a_accounts

Retrieving a Password

The password can be retrieved using three common tools:

  • Active Directory Users and Computers (ADUC),
  • PowerShell
  • Any LDAP Client

If a user without permission tries to view a password they will simply see the value “<not set>”.

ADUC Password Retrieval

Using ADUC, open the target computer object, click the attribute tab, scroll through the attributes and find the field ms-Mcs-AdmPwd.

PowerShell and Fat Client Installation

To use PowerShell run setup and install the PowerShell CmdLets

Powershell Password Retrieval

To retrieve a password using PowerShell, issue the following command:

Get-AdmPwdPassword –ComputerName <ComputerName>

The password will be one of the returned attributes, it will be blank if the user does not have permission to read the password.

FAQs

We have an MS TEAMS working group (SCCM -SG-CAMPUS-OSD) with documentation. 

Contact Us

CSUN Information Technology


Monday to Friday, 8am to 5pm

Faculty Technology Center
(818) 677-3443

IT Help Center
(818) 677-1400

Information Security
(818) 677-6100

Universal Design Center
(818) 677-5898

Classroom Support
(818) 677-1500

Send email

Check our social media for changes and updates.

  

instagram icon Twitter  
Scroll back to the top of the page