How to install and configure Microsoft Local Administrative Password Solution (LAPS)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome this is Marcus from terabyte this video is all gonna be about the Microsoft lapse service or local administrator password solution if you've never heard about laps before this might be abuse for you if you manage a lot of machines in an environment where you have to set local administrator accounts what you can do with wraps is is configure it on the demand and then that you can set it all up on all the machines and this elechi allow you to configure and use local administrator accounts a little bit easier than just having the same account across all machines so what happens is we need to configure laps it'll store a local administrator password in actually in Active Directory and an ad attribute so what we're gonna do it in this video is just briefly go through the how to actually download lops installer on the demand and then just go through a little bit of configuration and then stop there there's a lot to it or there can be a lot to it when you said all up so won't get too detailed for a little show the basics and then I'll put some links in the description below the video and then just go through and read through it and configure it to your heart's content yeah there's not a lot in it so we'll just get into it so what we'll need to do is you need to go to a URL which is I'll put in the description here and then you just download this file here which will give you an MSI file which I've already done and then all we do is just double click on the slops file go next and I've already had it installed before so I'll just remove that just so we know we're doing double click on this go next accept the license agreement and just for ease we'll just enable everything it's a very small install so won't really make much difference click Next hit install and that's it finished off for this bit anyway the next bit we need to do is actually run a bit of PowerShell so just to configure laps so we're just going to PowerShell here and then what you need to be an administrator so just say import module and then it's it the m p WD dove PS that present there that does that and then we need to do updates ad m pw d DD m p ee d ad schema again another thing with this is before you do all this poster if you do actually have to be a member of the schema admins within the demand if you're not this section of fail could actually updates a lot of the schema settings mister for active directory so just present that and there you go issuers that everything's been excessively installed and configured if you weren't a member of the schema admin or younger permissions to do it obviously similar so come up saying failed or error right so once that's done you can now go into local security policy well for this example and then we can go into computer configuration policies actually start again we're going to group policy management even and apologies for my phone just beeping there a second ago demands into my testament and now here you can actually either create your own group policy which could be recommended or for this one we're just going to go in and use the default domain one which i wouldn't really recommend but in here we just go to edit and then i lookin computer configuration we just go into policies into administrative templates and hopefully if it's install probably yep they were go to sale ups so you can just click on the laps there and as you see we've got four sections here which are not configured so there's a few bits there so the password settings one this one here this one no that just lets you couldn't silicone complexity of the password and how often you there needs to be changed as you can see here it gives you a bit of information here so you just say enabled change the complexity to whatever you like for the passwords lengthen and the password the name of administrator account to manage this veneer just goes in there this is Johnny required if you're going to rename the actual administrator account to something else so every time you install Windows it has an administrator account if you like you could just change that to something else for the overall security thinks it doesn't really matter if anyone's targeting your network or tighten your network it's quite easy to actually find out what an administrator is but it gives a little bit of extra confidence of complexity to helps protect you against the various accounts and stuff like that so do not allow password exploration time longer than policy as it Sears pretty much just goes in here and you can put the password agian and do things like that and then enable local admin password management this is the main important one full opps if you don't enable this one lapse won't be configured so you just say enable on there and do that and then that is just about all of it done and Mopsy with group policy it takes a while to replicate and go through what we can do in here the last little bits you need to do is actually tell laps what machines are going to be configured and managed so for this demand at the moment all we have is on the users and computers I've got all my computer's just in the computer one here and this is the one that will set it against so what you need to do is just run a PowerShell command which I'll stick in the comments below as well so you know what it is just set the computer self permission then org units and then that you put in the organizational units or whichever the unit's going to be managed so for this one I'm just going to say that and do that probably and that's now been delegated so what this will do is just tell Microsoft flops that everything's gonna be self-managed and permission against this or you here at the moment there's only one well there's nothing in there at the moment but if he did you could have lots of machines in there set it up configure it and go from there then the last thing you need to do is this is all finished on the server the last thing you'd after you need to do is that you copy a dll file onto every machine that you want to be managed and this is the ADM PWD doc dll file now depending upon how you manage your computers this could change from person to person there's a couple of ways you could do you could in install the the DLL by actually running this file here the MSI file that you got previously and then just go through change that and just find that dll file which would be this one here or what you can do is just go through onto the the server that you've installed it on look for the file it ADM pwdfocus me without dll and copy that under the machine via group policy deployments or any other managed service that you use to actually deploy files across and then once that stood obviously push out group policy across all the machines and that's it managed hopefully that makes a little bit of sense for you what I might actually do is do another video on this make it a bit more detailed and in-depth into it and that you go through configuring on the machine as well or just covering the DLL onto the machine and then having a look at all the settings and stuff like that I hope this makes sense if you like you say this video or anything else for their own just drop some comments and below this video Basheer if you could subscribe to this or like the video and go from there any comments that you have or any recommendations or if you've used a lapse before in the past you know feel free to comment on the video and we'll go from there thanks very much

Info

Channel: TeraByte IT Limited

Views: 8,593

Rating: undefined out of 5

Keywords: laps, password, active directory, microsoft, cybersecurity, domain, how to install microsoft laps, how to configure microsoft laps

Id: bVOJVgs2RJU

Channel Id: undefined

Length: 8min 40sec (520 seconds)

Published: Thu Jan 09 2020