Configuring and Deploying LAPS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys it's Julia here and in this video we are going to be going over how to set up laps now dude Fox would you like to explain what lapses some laps stands for local administrator password solution this was created by Microsoft when they had to release an update that no longer allows you to change the administrator password in group policy this was done in 2008 r2 and I believe it was a security issue that they had so what we're gonna do is install and set that up it's not as simple as downloaded install you're done there's some things you need to do after it's installed and you have to install a client on every computer that you're gonna run it on yep so we're gonna start out by simply downloading laps we'll put the link in the description to it for a direct download to Microsoft's download link page but for this we're going to Google and we're gonna Google for a laps download first link here we can see the download page it will put a link to this in the description to make you easy for y'all so we're gonna go ahead and click download and work since we're only doing since we only have 64-bit clients are gonna download 64-bit so we're gonna go ahead and save this alright so first thing we're going to do is install it on our server so we're logged on under our admin user that we created we're gonna just install it now because this is the server and this is where you're going to be getting your password from we need to install our management tools now may I ask is this on the domain admin or the local admin that you're installing this on the local admin is not accessible unless you enter the domain services recovery mode so you're doing domain user yes alright laps only works the riddle name because of the wait group policy works yep so we're going to install the so called that client you want Lex it's called and as well as the PowerShell modules and the group policy editor templates so we're gonna go ahead and install those along with the GPO extensions accept our UAC Lacombe finish now we also need we're gonna deploy this out to our computers or client systems using group policy so we're gonna drop this into the share folder that we created when we looked at group policy so there will just need to memorize that name for later on now that we've got that installed we need to run a couple of commands in PowerShell this is to properly set up group policy and other stuff for lamps so the first one you're gonna need to run so we're gonna launch our shell is admin so the first one we need to do is import - module ABM PWD what happened there oh we forgot dot PS there we go so now we can update - a BMP WD ad skimmer so this will update these the Active Directory schema schema with the necessary permissions and whatnot yep so next what we need to do is give our systems access or more specifically the oh you of the computers so we can figure that out by going into group Active Directory users and computers looking in our directory and see let's see what's it members or okay so we can see that it's the clients out right here so the command we will do is set - a DM PWD computer self permission - org unit IT which stands for organizational unit this is where you're going to give it the path of the oh you and then our domain which we called YouTube local so we imported our module updated our active their schema now we're gonna give the oh you which is called clients which is where our computers are in Active Directory so basically we're gonna give the oh you called clients which we created in the group policy video which is where our clients are located our computers we're gonna give that permission to write the password and the expiration date which this command does so now it's given the permissions next thing we need to do is run two more commands which gives a group so we're just gonna give the and see do we create a group for laps we have not so let's create a group for laps we're just gonna call it laps okay so next thing we need to do is give that group read and reset permissions so we're gonna do set a DM PWD read password permission there will be a link to a guide in the description on the commands and other things you can do you will do need to do so for the most part it's pretty similary we just needed to specify or oh you I believe it's - allowed principles and that's where we specify our group which we created and called laps oh I must have spilled that wrong let me try that again there we go and pretty much we can hit up and change the set a DM PWD read path you can also just change that to reset sorry guys I'm having audio problems go ahead you're just being a piece of garbage alright go on what did you just do here so we gave the laps group permission to read and reset the password and you have to specify the oh you which we specified above for the self permission which is the clients oh you so now we're pretty much set up apart from we need to give our user our admin users permission or we need to we need to give them the group that's as simple as specifying laps applying that and then we need to re log all right so now laps is fully set up and we can deploy laps to our computers are you walking back in or yes I can hit the right button this looks like the local admin no it's not oh it's the admin you created yes but it don't look like the Active Directory sign it every Active Directory setup will be different all right so now what we need to do is we're gonna use group policy to deploy out our installer so we're going to go up to clients we created a group policy called startup so we'll just add it anything that's under policies computer configuration policies software settings install or software installation we're gonna create a new package next we need to give it the UNC path which is slash slash I think it was Server 2019 / io stylish line and then our files path that we have hidden and there's our MSI file that will employ out to our systems we're gonna leave it as a sign and we're just gonna make sure settings look correct and they do so now this is set up so now what we can do is go over to our enterprise and then we're gonna restart our system and if we watch startup we will see it actually install apps because we enabled highly detailed status messages yep that was fast I didn't say it sometimes it's so quick you don't see it it all depends on the computer but we can check it by logging in and looking at our add and remove programs list let's hope it's there hmm all right it did not install that time let's run a group policy update this should pull down the new policy for the Installer so this should fix that yep says it can't be installed because it'll need to reboot so we'll go ahead and tell it to restart and because I'm lazy and just gonna forcefully reboot it it's taken longer this time to boot it's really thinking about this one here it goes there it goes I saw at that time I saw at that time [Music] are you there so now if we log on I saw it do it you can check to make sure but I'm pretty sure I saw so if we go check our programs list it's gonna be there I saw it yep right there so we head back over to the server we can set up our password management that's non-va group policy again please the startup policy if we go under policies and administrative templates will see a folder collapse so from there so we're gonna configure our password settings enable so we can specify the length how old password will be or it resets and what the password contains we're just gonna leave it at defaults but let's turn this down to like 10 days 10 days the next setting is the name of the account where you want to change we're gonna leave it alone so it'll be the built-in administrator so this will basically say once the password expiration hits change it immediately on next screw policy update and then this is to enable or disable to disable what this is to enable or disable apps from changing pepper okay so we've enabled it to change the password and we've set up our password settings so now on next reboot of that system or next group policy update let's go ahead and update our policies [Music] we can see our computer policy updated successfully said in our user file that now means our administrator password has changed we can confirm this by loading up the fat client on go ahead and say what you were saying again I don't think I'm on your computer find out what the heck is broken fix it I don't know what it's it's been doing this since yesterday well as we can see once we did our group policy update after enabling the lapse policy it has set a password on that system and it will reset on this day in this time we can of course force that by setting it to this date and this time which has literally passed it's already passed so that means on next group policy update this will change yep and that's lapse so so that's just to change the admin yeah that's to keep the built an administrator account password protected and the thing about it is that it's unique for every computer so you can get the information from the server of what that computer's built-in admin password is you could do that or they could set it up in a way you could install the fat client on any computer as long as the computer is connected to the domain and your log on under the correct user with appropriate rights and then you can access the passwords yes and it's always good to have this because the built-in admin by default does not have a password and that is a big security risk even though the account is disabled someone could enable it and then have access to the computer so if you remember in the last video I believe we did written enable of have the administrator out yeah so it's you need to have a password on the built-in admin and one more question just laps only work on the built-in admin account no it can work on any and it can work on any account that you specify so if you had a certain user account maybe on the domain for a certain user you can make their password change but then again that'd be silly because they'd have to find out what the password is every time that's the point so it's mainly just good for the built-in admin is what you're saying so it's good for any system most businesses or IT people will tell you to disable the administrator account and create a local administrator account and change the password for that which is the same thing you have a local admin when you need to change the but you also have your admin yeah but obviously I guess I'm having this on the built-in admin is more security yeah technically you could do more than one you could just need multiple group policies for them yes so guys I guess that's laps is there anything else to say I'm really it's mostly just once you get all that set up it's as simple as typing the name and the fat client Boop you got your password nice anyways thanks for watching everyone say bye-bye
Info
Channel: Julia's Tech Spot
Views: 20,608
Rating: undefined out of 5
Keywords: LAPS, Local Administrator Password Solution, Windows Server, Installing LAPS, Admin, Admin account, Windows, Admin password, Group Policy, LAPS Group Policy
Id: tMlr3evye_w
Channel Id: undefined
Length: 16min 3sec (963 seconds)
Published: Sat Nov 16 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.