Prerequisites
Download the LAPS application here.
There is a good Walk-Through by Kyle Beckman (@kobeckman) that covers this topic well. He does a great job! I’m just adding Client Install & Admin Install information, if you want to use ConfigMgr. I’m going to point you to his Blog to get the Active Directory / Group Policy side setup, then you can use the information in this post for deploying the client & admin UI via ConfigMgr.
Part 1 – https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/
Update 9/26/16 – Another nice post about setup: https://modalyitblog.wordpress.com/2016/09/25/automating-management-of-local-administrator-passwords-microsoft-laps/
Deploy Software to Clients w/ ConfigMgr Application
All workstations:
msiexec /i laps.x64.msi /qn
msiexec /i laps.x86.msi /qn
I’m using a custom rule to detect if system is x86 or x64, that information can be found here.
Deploy that to all of your clients.
Deploy Admin Tool w/ ConfigMgr Application
Now you’ll need the Admin UI to look up the Passwords for your Service Desk:
It’s completely identical to the x64 method, except, 2 changes:
Change the install Program to: msiexec /i “LAPS.x64.msi” ADDLOCAL=ALL /qn
And add another detection method for the Admin UI tool.
Now deploy this to your Service Desk, or make it available to the AD group that you granted permissions to, to lookup the passwords, then they can go grab it from the Application Catalog.
Once the Admin Install is complete, they will have the LAPS UI app available:
With the client now being pushed, and the group policys applied to the workstations, they will start to populate those atributes in AD.
Just as a note, if you have a process in place to automatically deletes inactive computers from AD, you will not have the ability to lookup the local administrator password any longer if the computer has been removed from AD, as the object in AD that held the local administrator password is gone:
Thanks for the shout out and links, but I’m actually the author on the LAPS article on 4sysops.
Sorry about that, I just updated the Article to reflect that. Thanks again for your great blog articles!
LAPS SCCM integration: https://gallery.technet.microsoft.com/LAPS-Extension-for-SCCM-e8bd35b1
Thanks for the mention Gary!
There is a problem with the detection method in this article. The MSI product code is the same for both the Admin tool and the client meaning if someone installs the admin tool first with the dual detections then the client gets deployed to their system the system will think it’s already there because you are only using the MSI which would already exit. Just something people should be aware of.