In this article, we’ll cover the basics of Microsoft laps(ms laps) used and work. We’ll also explain how it works and installing steps to LAPS and define implementation requirements and features of laps.
What is ms laps and its use?
The abberiviation of laps is “Local Administrator Password Solution“. LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
Microsoft LAPS is used in order to prevent stale, duplicate, or overly simplistic passwords. These situations leave systems vulnerable to either intentional or accidental data breaches. LAPS ensures that passwords change regularly and are adequately complex.
How does LAPS work?
LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:
- Firstly, checks whether the password of the local Administrator account has expired.
- Then you can generates a new password.
- Validates the new password against the password policy.
- Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
- Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
- Changes the password of the Administrator account.
- It read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.
Installing steps of microsoft laps:
Here we will show you how to install microsoft laps:
- Firstly, download microsoft LAPS package.
- This link does have multiple .msi files. You need to download the file .msi which matches your setup.
- Double click on LAPS.x64.msi file. (You need to run this as administrator)
- It will open the new wizard. In the initial screen click Next to continue.
- Then in the next window, accept the licenses agreement and click on Next to proceed.
- On the features window, deselect default “AdmPwd GPO Extension” and select “Management Tools”. If you also managing the local administrator account of the management server, you also need to install “AdmPwd GPO Extension”.
- On the next page, click on Install to begin the installation process.
- Then its completed, click on Finish.
Installation via GPO:
Another way to installation via GPO:
- Create a GPO and give it a name
- Go inComputer Configuration => Policies => Software Settings
- Right-click on Software installation and click on New => Package
- Browse the path where the file is located, select the LAPS software.
- Choose the deployment method as Assigned and click OK. ”The installable must be accessible from the network”
Implementation requirement:
Microsoft LAPS does have a few requirements to implement it:
- It only applies to Windows devices
- Then domain joined.
- It requires a free Group Policy client-side extension
- It only works for the local admin account
Features of LAPS:
LAPS includes the following features:
1. Security that provides the ability to:
- Randomly generate passwords that are automatically changed on managed machines.
- Effectively mitigate PtH attacks that rely on identical local account passwords.
- Enforced password protection during transport via encryption using the Kerberos version 5 protocol.
- Use access control lists (ACLs) to protect passwords in Active Directory and easily implement a detailed security model.
2. Manageability that provides the ability to:
- Configure password parameters, including age, complexity, and length.
- Force password reset on a per-machine basis.
- Use a security model that is integrated with ACLs in Active Directory.
- Use any Active Directory management tool of choice; custom tools, such as Windows PowerShell, are provided.
- Protect against computer account deletion.
- Easily implement the solution with a minimal footprint.
In this article we have try to define “Microsoft laps”. Hope you are like it! Thanks for reading this article.