Active Directory And AWS Security Frameworks > RaMP / RedForest > Phase 1 The First 30 Days > LAPS Servers & Workstations > Install and Configure LAPS

Install and Configure LAPS

How to install LAPS

Don’t overcomplicate things.

The full Microsoft Guide to installing LAPS

3 Steps to install Laps

Update Active Directory Schema
Create and Enable GPO for Password settings sand rotation policy
Install LAPS client into windows computers

Step 1 (step1)

Update Active Directory Schema

I boiled this down to one function in powershell. The Badblood Repo Laps Install Folder has the function .BadBlood/AD_LAPS_Install/InstallLAPSSchema.ps1

Which runs the following code.

function Get-ScriptDirectory {
    Split-Path -Parent $PSCommandPath
}
$scriptPath = Get-ScriptDirectory

copy-item -path ($scriptpath + "\admpwd.ps") -destination "C:\Windows\System32\WindowsPowerShell\v1.0\Modules"
get-childitem -path ($scriptpath + "\admpwd.ps") -recurse |Foreach-object {
    Copy-item -literalpath $_.fullname -destination "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\admpwd.ps"
}
copy-item -path ($scriptpath + "\AdmPwd.admx") -destination "C:\Windows\PolicyDefinitions"
copy-item -path ($scriptpath + "\AdmPwd.adml") -destination "C:\Windows\PolicyDefinitions\en-US"

Import-Module ADMPwd.ps
Update-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -OrgUnit (Get-ADDomain).distinguishedname

If you are a Domain Administrator and Schema Administrator, and logged into a domain controller this function does the following for you:

Copies the LAPS powershell modules into the modules folder on the server you are logged into
Imports the LAPS GPO templates into the server
Extends the schema for LAPS
Adds the computer object property on the root of the domain to each computer to write its new custom administrative password to the admpwd attribute

Step one complete by running one script

onto…

Step 2 (step2)

Create and enable GPO for LAPS settings on the domain

There are two GPOs to configure in the domain: One for servers. One for workstations

Computer type	Recommended LAPS setting
Tier 0 Domain Controllers	No LAPS installation
Tier 1 Servers	7 day maximum password age
Tier 2 Workstation	30 day maximum password age

Tier 2 LAPS GPO

Here’s an outline of what the LAPS GPO should look like for workstations, tier 2 devices.

Create Two GPOs at the root of the domain:
One for ‘LAPS Workstation’
One for ‘LAPS Server’

The settings are outlined as follows

Setting Name	Suggested Setting

Step 3 (step3)

Install LAPS client into Windows computers

Keep it easy.

Install Laps using the same GPO created in step 2

Automate the installation of LAPS onto all the windows machines on the domain.

Create a new GPO or use the GPO previously created in the step above
Edit the GPO created above
In Computer Configuration –> Policies –> Software Settings, Right click Software installation, an select ‘New’ –> ‘Package’
Choose the LAPS software that is on share on the domain. I often see the .msi in the Sysvol folder for ease of distribution
Verify the source is correct in the GPO
Wait 15 minutes on a remote machine on the domain and perform a gpupdate /force
LAPS should be installed on the workstation/server.

Per the pdf linked above:

You now see that LAPS x64 has been imported. In case you are adding x86 LAPS, once you add the package be sure to edit the x86 package to uncheck the option Make this 32-bit X86 application available to Win64 machines. You will find this option when you right click the x86 package > Properties > Deployment. This will ensure that 64-bit computers get the 64-bit DLL, and 32-bit machines get the 32-bit DLL. Close the GPM editor.

LAPS is now successfully deployed

Congratulations. Microsoft LAPS is now successfully deployed in the domain.

Pictures from this post are from the Microsoft PDF linked at the top of the page.