Installation of LAPS Password Management Demo Deployment Version: 1.0 Last Modified: 2017.11.2 Installation The content of this document is property of Omni Technology Solutions, Inc. All Rights Reserved. All trademarks are property of their respective owners. Any reproduction in whole or in part is strictly prohibited without the written permission of Omni Technology Solutions. This document is subject to change. Comments, corrections or questions should be directed to the author.
Summary Purpose Provide the initial configuration steps required to enable LAPS password management in ServiceControl Demo environments. This document includes a combination of data and instructions from several sources including: Microsoft Tutorials, and our ICS team. Contents Installation of LAPS Password Management... 1 Demo Deployment... 1 Summary... 2 Purpose... 2 System Requirements... 3 Preparing the Environment for LAPS... 3 Installation of LAPS into Demo Environments... 4 Phase 1: Install LAPS on the Domain Controller... 4 Phase 2: Installing LAPS onto Clients... 5 Phase 3: Extend the AD Schema... 7 Phase 4: LAPS GPO Configuration... 10
System Requirements Supported Operating System Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Vista Active Directory: (requires AD schema extension) Windows 2003 SP1 or later. Managed machines: Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later. Note: Itanium-based machines are not supported. Management tools:.net Framework 4.0 PowerShell 2.0 or later Preparing the Environment for LAPS Microsoft has designed LAPS to be a lightweight modification to the Server. The Server serves as a repository for the Password and Expiry Date. These values are stored in Confidential attributes in the Active Directory. The schema will require modification for LAPS to be properly enabled within the environment. To install LAPS, you require the following files from Microsoft: 1. https://www.microsoft.com/en-us/download/details.aspx?id=46899 This link takes you to the Microsoft download site for the LAPS installers. 2. This also downloads the Microsoft Documentation for installing and understanding LAPS. 3. Required files: a. LAPS.x64.msi b. LAPS.x86.msi c. The other files included in the download are optional as we have current copies in Teams > Infrastructure. LAPS reliance on Active Directory allows it to be a lightweight Password Management solution. The only change that is made to the Active Directory is a modification to the schema that adds two variables.
Installation of LAPS into Demo Environments The installation of LAPS is straight forward. In order to demonstrate LAPS you need a Domain Controller with the modified schema and GPO s and a Client with the LAPS client installed. The following steps can be used to install LAPS into a demo environment: Phase 1: Install LAPS on the Domain Controller 1. Copy the LAPS.x64.msi and LAPS.x86.msi onto the DC. 2. Place the two installers into a network share so that clients can effectively access the installers. 3. Install the version of LAPS for your DC architecture. In this case we are using the LAPS.x64.msi. 4. On the Welcome to the Local Administrator Password Solution Setup Wizard page > Click Next. 5. Accept the EULA for the LAPS installer. 6. The next step is determining what you want to install. The DC requires the installation of Management Tools, The Fat Client UI, Powershell Module, and GPO Templates.
7. Click next and then Click Install and accept the UAC window. Phase 2: Installing LAPS onto Clients Currently the primary method for sharing LAPS and installing it with a small number of client machines is to use a GPO to push the installation onto the client computers. This GPO takes the installer and installs the DLL onto the client and adds it to the registry. (Temp Images borrowed from flamingkeys.com) 1. On the Domain Controller open the Group Policy Management Editor. 2. Create a new Group Policy Object that will be used to install LAPS against the clients. 3. Edit the new GPO > Open Computer Configuration > Policies > Software Settings > Right-Click Software Installation > Choose New > Package 4. Do this twice creating two different Installation packages. One for the 64-bit and one for the 32- bit computers. Inside the 32-bit installer make sure to uncheck Make this 32-bit X86 application available to Win64 machines. This ensures that the correct DLL is installed on each machine.
5. Finally, in the same policy navigate to: Administrative Templates > System > Logon > Enable Always wait for the network at computer startup and logon.
6. This ensures that the policy objects are properly distributed to the clients before they log onto their computers. Phase 3: Extend the AD Schema Requirements: This phase requires that the user account that you are logged on as is a member of the Schema Admins. On our demo environments, the ServiceControl user has traditionally been assigned as a member of the Schema Admins. This is required as we cannot make the needed changes to the schema without these credentials. We will be adding the following two attributes to the AD Schema: ms- MCS-AdmPwd This attribute stores the password and is confidential. The ms-mcs- AdmPwdExpirationTime This attribute holds the expiration time that is used to cycle lapse passwords. 1. Open PowerShell as an Administrator > Import the AdmPwd.PS module. 2. Next, type Update-AdmPwdADSchema into PowerShell and hit enter.
3. PowerShell will respond with the operation, DN of the DC and if the attribute was installed correctly. (Reshoot with Image from MSP) 4. Next, we need to configure the Active Directory Permissions. This is required so that only certain individuals and accounts can actively check the two new attributes. 5. Open ADSIEdit.msc > Right-Click and Select Connect to 6. In the Connection Settings window Ensure that Default naming context is selected and click OK.
7. Next Find the organizational Unit that contains all of the computer objects being managed with LAPS. 8. Right-Click the OU and Select Properties. 9. Click the Security Tab and Choose Advanced. 10. For each Admin group that currently has All Extended rights checked, Uncheck the box and apply the permissions. 11. The last step is grant Client computers the ability to update their LAPS password attribute 12. In PowerShell, type Set-AdmPwdComputerSelfPermission -OrgUnit OU=,DC=,DC=. PowerShell will return a message saying delegated under status if the operation was successful. 13. Next run, Set-AdmPwdReadPasswordPermission -OrgUnit OU=,DC=,DC= -AllowedPrincipals Users and groups to include This will allow the following users or groups added as principals to read the LAPS password. In our environment, this should include the default admin and ServiceControl.
Phase 4: LAPS GPO Configuration This phase involves setting the policy rules that will be enforced on LAPS. In our demo environment, we have decided on several settings that provide the best demonstration experience. 1. Open the Group Policy Management Center > Edit the LAPS policy we created in phase 1 > Open Computer Configuration > Policies > Administrative Templates > LAPS. 2. Inside Password Settings set the following rules: a. 14 Characters in Length b. Use Upper Case c. Use Lower Case d. Use Special Characters e. Password expires every 1 day 3. Inside Do not allow password expiration time longer than require > Enable the setting. 4. Enable local admin password management > Set this to enabled. That s it. There isn t anything else required to get LAPS installed into the ServiceControl Demo Environment.