Microsoft Windows : Setup LAPS (Local Administrator Password Solution)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] you today we're going to be looking at how to install laps in our domain environment so laps is the local administrator password solution so what in short what laps is doing is it is helping us manage the local administrator account on all of our workstation computers this gives us an advantage because in an enterprise environment most of us are doing some sort of imaging and in that process when we create a golden image you will have an admin account on that that image usually with that account you have a password that password is now going to be replicated across your environment so you could have hundreds to thousands of computers with the same exact password that's all great-grand it's easy to remember however the big flaw of that is if that password is compromised in any way then so are all 1,000 or hundreds of your computers so lapses is a tool that we can use to help us manage these accounts what it is doing is it is changing the password given the parameters that we give it so by default is 30 days and then every 30 days the passwords changing to the complexity that we give it and obviously it is then reporting back to our domain controller what the password is along with the expiration date that's allowing us to be able to look up what that information is so next we'll get started in installing laughs so we'll go to this web page on Microsoft's website where we can download it so we'll go here and download it I'll include the link in the description below so I'm just gonna do the 64-bit version we'll hit next it's okay so now we're gonna install laps I'm gonna hit next we're just gonna agree to everything so right here on our management tools we're gonna do entire feature will be installed on the local hard drive click that hit yes and then install and what this is doing is this isn't giving uh giving us the GPO or the administrative template burger policy along with powershell scripts that we'll need in just a second to modify our schema of our domain as well as giving permissions to the organizational unit that our computers will reside in to be able to allow our computers that are in that unit to be able to write back to the domain what the password and expiration dates are so we're gonna hit finished here we'll close that out we'll get a PowerShell so the PowerShell couple of commands we're going to type in the first one is going to be import module and then it's going to be a DM PW dps and that's going to import our lapse module in to our so we can use it inside of PowerShell so the next one is gonna be update - a DM PWD ad schema now at this point we are modifying our domain schema so essentially what we're doing is we're adding two extra fields we're adding a field for the password and we're adding a field for our expiration date we're gonna hit enter on that and I left an S off so it's not a run try again alright so we see successful so now that that's been modified so the next thing we're going to want to do is we're gonna want to add permissions write permissions to our organizational unit that the computers will reside in because the computers will be the ones generating the password and then writing it to the domain so a quick trick that I have is if I know a computer name in the organizational unit that I'm needing to assign those right right rights to I'll do get 80 computer and then we'll do IT LJ u p1 so what we're looking for here is we need to know the organizational unit that it's in and it's going to want to do in this LDAP type format so the next command we'll want to do is a DM PWD computer self permission and then - Oh our G unit and then quotation and then we're gonna come up here and then we're gonna copy this last part out paste it and in our quote so essentially we're copying everything after the C N equals and then the computer name after that last comma right here we're gonna copy everything after that so hit enter so now our computer has access to our domain to write to those specific fields it does not have real access to write anywhere else so we're finish up our show so next we're gonna move into our group policies this will want to make sure that our admx files are in the correct is we're using a central store we'll go in here and check our central store to make sure that they're there and what we're looking for is an admx file called ADM PWD i don't see that so what we can do is we can go into the windows folder and then into policy definitions and then we'll see it in there so when we ran that installer at copy copied it here instead of our central store that's perfectly okay though so we'll go back to our sis fault folder policies and we'll paste it in here and you know what I forgot the 80 ml file let's go get that as well all right great so one last thing we'll want to do is we want to go the original file the MSI file that we downloaded for laps we want to go take that local copy that's going to our downloads folder copy that now we're gonna go back to our our net logon folder and we're gonna paste this in here this is gonna be very important in just a moment so now we'll go and we're gonna now modify our group policy objects for this we're gonna create a group policy object for controlling or LDAP settings so we're gonna do two things here we're going to create an object so we're just going to do LDAP I keep saying L doubt it's laughs settings so then we'll go to edit so we're gonna add that policy and then we'll go to oh sorry I'll under computer configuration we're gonna go to software settings first and we're gonna create a new package and we're gonna go to our Net logon folder or our domain and we're gonna select the lap 64-bit so this will now on reboot install the laps agent that's required to be on the machine this agent will be what is communicating with our server and reporting the password it is well Li also generating our passwords as well so the next thing we want to do is we want to go to administrative templates and we'll see we have one for laps now so we'll make that a little bit bigger and so we'll first one we'll edit is password settings we'll go to edit and then we'll just select enabled under here you can see a kind of password complexity if you'd like to change that you're more than welcome to password length and age and then the next one we want to do is enable local admin password management we'll go edit that hit enable apply okay so this is everything that we need to do on our domain controllers to allow labs to be able to work so next we're gonna go to our workstation machine and I'm going to show you what we need to do moving forward to get these settings applied and get laps running on our work sessions so now that we're on our workstation machine that we're going to be applying laps to the main thing we'll need to do is we'll need to go to our command prompt and then we'll run gpupdate space four slash Devore's this will apply any group policy changes that we have made so essentially again what this is doing is this is this is pulling of the software install that we're going to apply and making sure that it knows exactly where it is and what organizational unit it's just a good way to force it these group policy changes happen every 99 minutes however they're they're all ways of forcing it so we're gonna restart this PC so we've rebooted our PC and we're back logged in so the first thing I would recommend doing is going to control panel and then going to our program features programs and features and then we can see that Labs has been installed so from here the next thing I would do is go to command prompt and we're gonna do one more gpupdate force once this is done we can now hop back on our domain controller and see if the password has been reported back to it so now we're back on our domain controller and what we'll do is we'll go to our search feature and we'll type in laughs so when we originally installed laps it allowed us to install this laps UI software it's just a small piece of software that allows us to look up the so we'll just type in our computer name says IT LJ - ep 1 and we'll click search and there is the password for this piece the PC that's in that organizational unit as we add new machines those passwords will be different I hope this video has been helpful feel free to leave a comment on this video if you have any questions also please consider subscribing to the channel I will be putting out new content on a weekly basis and again hope this video has been helpful for you have a great rest of your day [Music]
Info
Channel: IT Lumberjack
Views: 3,256
Rating: undefined out of 5
Keywords:
Id: V90G8jeKsy4
Channel Id: undefined
Length: 11min 49sec (709 seconds)
Published: Fri May 22 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.