Local Administrator Password Solution (LAPS) Setup

Prerequisites

Download the LAPS application here.
There is a good Walk-Through by Kyle Beckman  (@kobeckman) that covers this topic well.  He does a great job!  I’m just adding Client Install & Admin Install information, if you want to use ConfigMgr. I’m going to point you to his Blog to get the Active Directory / Group Policy side setup, then you can use the information in this post for deploying the client & admin UI via ConfigMgr.
Part 1 – https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/

Parts 2- https://4sysops.com/archives/set-up-clients-for-microsoft-laps-local-administrator-password-solution/

Update 9/26/16 – Another nice post about setup: https://modalyitblog.wordpress.com/2016/09/25/automating-management-of-local-administrator-passwords-microsoft-laps/

 

Deploy Software to Clients w/ ConfigMgr Application

All workstations:
msiexec /i laps.x64.msi /qn
msiexec /i laps.x86.msi /qn

image

Application:
image image image

First, the x64
image image image image image image

Now x86
image imageimage image image image

I’m using a custom rule to detect if system is x86 or x64, that information can be found here.

Deploy that to all of your clients.

 

Deploy Admin Tool w/ ConfigMgr Application

Now you’ll need the Admin UI to look up the Passwords for your Service Desk:

image
image  image image

It’s completely identical to the x64 method, except, 2 changes:
Change the install Program to: msiexec /i “LAPS.x64.msi” ADDLOCAL=ALL /qn
And add another detection method for the Admin UI tool.
image image

Now deploy this to your Service Desk, or make it available to the AD group that you granted permissions to, to lookup the passwords, then they can go grab it from the Application Catalog.
image
Once the Admin Install is complete, they will have the LAPS UI app available:

image

image

With the client now being pushed, and the group policys applied to the workstations, they will start to populate those atributes in AD.

Just as a note, if you have a process in place to automatically deletes inactive computers from AD, you will not have the ability to lookup the local administrator password any longer if the computer has been removed from AD, as the object in AD that held the local administrator password is gone:
image

5 thoughts on “Local Administrator Password Solution (LAPS) Setup”

  1. There is a problem with the detection method in this article. The MSI product code is the same for both the Admin tool and the client meaning if someone installs the admin tool first with the dual detections then the client gets deployed to their system the system will think it’s already there because you are only using the MSI which would already exit. Just something people should be aware of.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.