{"id":3342,"date":"2020-04-05T01:34:43","date_gmt":"2020-04-05T01:34:43","guid":{"rendered":"http:\/\/pariswells.com\/blog\/?p=3342"},"modified":"2025-11-24T23:21:21","modified_gmt":"2025-11-24T23:21:21","slug":"how-to-install-and-setup-laps-local-administrator-password-solution","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/random\/how-to-install-and-setup-laps-local-administrator-password-solution","title":{"rendered":"How to install and setup LAPS ( Local Administrator Password Solution ) Agent GPO"},"content":{"rendered":"\n<p>For Servers 2019 and Windows 10 Use the Inbuilt Functionality <a href=\"https:\/\/lazyadmin.nl\/it\/windows-laps\/\">https:\/\/lazyadmin.nl\/it\/windows-laps\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Download<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899\">Click here to Download the software<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Install<\/h2>\n\n\n\n<p>Install 32bit or 64bit depending on server , install ALL the Management Tools<\/p>\n\n\n\n<p>Create a new package and use the LAPS.x64.msi file that we downloaded earlier. Make sure that you add the parameter&nbsp;<strong>CUSTOMADMINNAME=LAPSAdmin<\/strong>&nbsp;in your package , this will create the LocalAdmin Account ( LAPs does not create the account for you ) Without this you will need to deploy a script to do this for you ( no way to do this via GPO due to security issues of deploying a password in GPO)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">$Username = \"LAPSAdmin\"\n\n# Create Random LAPS Password\ntry {\n    $length = 14\n    $characters = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&amp;*()_+=-\"\n    \n    $password = \"\"\n    for ($i = 1; $i -le $length; $i++) {\n        $randomIndex = Get-Random -Minimum 0 -Maximum $characters.Length\n        $password += $characters[$randomIndex]\n    }\n\n    $group = \"Administrators\"\n\n    # Check if user already exists using ADSI\n    $adsi = [ADSI]\"WinNT:\/\/$env:COMPUTERNAME\"\n    $existing = $adsi.Children | Where-Object { $_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }\n\n    if ($null -eq $existing) {\n        Write-Host \"Creating new local user $Username.\" -ForegroundColor Green\n        net user $Username \"$password\" \/add \/expires:never \/passwordchg:no | Out-Null\n        \n        Write-Host \"Adding local user $Username to $group group.\" -ForegroundColor Green\n        net localgroup \"$group\" $Username \/add | Out-Null\n    }\n    else {\n        Write-Host \"Setting new password for existing user $Username.\" -ForegroundColor Yellow\n        # Preferred modern way (works on Windows 10\/11\/Server 2016+)\n        $existing.SetPassword($password)\n    }\n\n    # Ensure password never expires (more reliable than WMIC)\n    Write-Host \"Ensuring password for $Username never expires and cannot be changed by user.\" -ForegroundColor Green\n    net user $Username \/expires:never | Out-Null\n    net user $Username \/passwordchg:no | Out-Null\n\n    Write-Host \"LAPS-like admin account '$Username' configured successfully.\" -ForegroundColor Cyan\n    Write-Host \"Password: $password\" -ForegroundColor Red\n}\ncatch {\n    Write-Error \"Failed: $_\"\n}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Setup<\/h2>\n\n\n\n<p>Open Powershell as Administrator and with Domain Admin Writes and run<\/p>\n\n\n\n<p><strong>Import-module AdmPwd.PS &nbsp;<\/strong><\/p>\n\n\n\n<p><strong>Update-AdmPwdADSchema<\/strong><\/p>\n\n\n\n<p>Make sure the above says Success<\/p>\n\n\n\n<p>In the same Powershell Window you need to declare the OU&#8217;s where the computers will live<\/p>\n\n\n\n<p><strong>Set-AdmPwdComputerSelfPermission -OrgUnit &lt;name of the OU to delegate permissions&gt;<\/strong><\/p>\n\n\n\n<p>Now you want to see who have access to look at the password in the OU<\/p>\n\n\n\n<p><strong>Find-AdmPwdExtendedrights -identity&nbsp;\u201cOU NAME\u201d<\/strong><\/p>\n\n\n\n<p>Add or remove permissions via :&nbsp;<strong>Set-AdmPwdReadPasswordPermission -OrgUnit &lt;name of the OU to delegate permissions&gt; -AllowedPrincipals &lt;users or groups&gt;<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Group Policy<\/h2>\n\n\n\n<p>On the PC you installed the LAPS tool to ,&nbsp;&nbsp;copy&nbsp;the following files :&nbsp;<\/p>\n\n\n\n<p>C:\\Windows\\PolicyDefinitions\\AdmPwd.admx<strong>&nbsp;to ( ON a domain controller )<\/strong>&nbsp;C:\\Windows\\SYSVOL\\domain\\Policies\\PolicyDefinitions\\<\/p>\n\n\n\n<p>C:\\Windows\\PolicyDefinitions\\en-US\\AdmPwd.adml&nbsp;<strong>to ( ON a domain controller )<\/strong>&nbsp;C:\\Windows\\SYSVOL\\domain\\Policies\\PolicyDefinitions\\en-US\\AdmPwd.adml&nbsp;<\/p>\n\n\n\n<p>Now create a Group Policy and Apply to the computers you would like to have self managed local Administrator Password<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1576\" height=\"479\" src=\"http:\/\/pariswells.com\/blog\/wp-content\/uploads\/2018\/05\/img_5b03df9e5977f.png\" alt=\"\" class=\"wp-image-3344 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2018\/05\/img_5b03df9e5977f.png 1576w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2018\/05\/img_5b03df9e5977f-300x91.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2018\/05\/img_5b03df9e5977f-768x233.png 768w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2018\/05\/img_5b03df9e5977f-1024x311.png 1024w\" sizes=\"auto, (max-width: 1576px) 100vw, 1576px\" \/><\/figure>\n\n\n\n<p><strong>Administering<\/strong><\/p>\n\n\n\n<p><strong>How to find password using Gui<\/strong><\/p>\n\n\n\n<p>On the PC installed with LAPS , run&nbsp; : C:\\Program Files\\LAPS\\AdmPwd.UI.exe and enter the computer name to find the password<\/p>\n\n\n\n<p>Use Powershell :&nbsp;Get-AdmPwdPassword -Computername &#8220;%COMPUTERNAME%&#8221;<\/p>\n\n\n\n<p><strong>To reset password Immediately :<\/strong> Reset-AdmPwdPassword -ComputerName &lt;computername&gt;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For Servers 2019 and Windows 10 Use the Inbuilt Functionality https:\/\/lazyadmin.nl\/it\/windows-laps\/ Download Click here to Download the software Install Install 32bit or 64bit depending on server , [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[1103,970,2493,2494,2495,627],"class_list":["post-3342","post","type-post","status-publish","format-standard","hentry","category-random","tag-download","tag-install","tag-laps","tag-local-admin","tag-local-administrator-password-solution","tag-reset"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3342","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=3342"}],"version-history":[{"count":6,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3342\/revisions"}],"predecessor-version":[{"id":9362,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3342\/revisions\/9362"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=3342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=3342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=3342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}