2. Local Administrator Password Solution (LAPS)
Local Administrator Password Solution (LAPS) is a solution from Microsoft to manage passwords for local administrator accounts on computers connected to the domain. LAPS automatically generates a unique, random password for each local administrator account on each computer in the domain, and then stores it securely in Active Directory (AD). When administrators need access, they can retrieve passwords from AD, reducing the risk of using the same password across multiple devices.
Advantages of Using LAPS for Password Management
Using LAPS has several advantages, including:
- With different passwords for each device, the risk of cyberattacks is reduced. If one password is leaked, only one device is affected.
- LAPS automates password management, reducing the need to remember or share passwords manually.
- LAPS allows administrators to monitor password changes and who accesses them, increasing transparency and accountability.
Steps to Configure LAPS via Group Policy
Here are the steps to set up LAPS via Group Policy:
1. LAPS Installation:
- Download and install LAPS on your management computer.
- Make sure all client computers have the LAPS agent installed.
2. Group Policy Configuration:
- Open Group Policy Management Console (GPMC).
- Create or edit a new Group Policy policy.
- Navigate to Computer Configuration >Â Policies > Administrative Templates > LAPS.
- Set options such as:
- Enable local admin password management: Enable password management for local administrator accounts.
- Password settings: Specify the minimum length, complexity, and maximum validity period of the password.
3. Policy Implementation:
- Once the policy is set up, make sure the policy is applied to the appropriate organizational unit (OU).
- Use the gpupdate /force command on the client to apply the policy immediately.
4. Password Access:
Administrators can use the LAPS user interface to search for specific computers and retrieve the administrator’s local password or change the next expiration date.