Since Microsoft changed the security policies the “old way” via policy to create a local admin account and give them a password does not work anymore – information about this security update can be found at: https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/
if you have installed this security patch and want to create a new policy “old-way” with a new user and password – you can not type-in any passwords because the fields are greyed-out:
The new way to do this is with Microsoft´s Local Admin Password Solution (LAPS) – see: https://www.microsoft.com/en-us/download/details.aspx?id=46899
you need a Management computer for installing the management tools, powershell module,… – in addition it is useful to have also all the AD management tools (users and computers, group policy editor,..) installed on this management computer.
Download all (you will need x86 and x64 later) packages from: https://www.microsoft.com/en-us/download/details.aspx?id=46899 to the management computer and start LAPS.x64.msi – or x86 if you have a 32bit management computer (build client packages later):
..install all the features:
Policy for installing client package:
LAPS needs a dll on all the computers where laps should store and change the local admin pwd. The easiest way to do that is, create a policy for deploying this package – start group policy editor and create a new policy :
..choose the LAPS x64 package first, for deploying software to 64bit clients/servers:
…we need also the x86 package:
…i will rename the packages (looks better than (2)) – right click -> properties:
…we want to avoid that the x86 package are also distributed to x64 computers – right click on x86 package and choose properties:
…uncheck “Make this 32-bit…..”:
…i have several OUs in my AD – Resources->Computers where all Workstations and Servers reside – i will link this GPO to my Resources OU:
..unfortunately LAPS client need a reboot to complete the update – you see this after GPUPDATE /FORCE:
Extend the AD schema:
open powershell with admin rights on your management server and import the laps ps module:
Get-Command -Module AdmPwd.ps
…the default permission to manage local passwords are less restrictive (Domain Users can read) – we want to change it – open ADSIEdit:
…because i have my own OU structure Resources->Computers,.. i have to right-click on ComputersOU and select Properties:
…be sure that under Security Tab are only Users that you give permissions are “All extended rights” checked – ie. Remove this checkmark from Everyone… (in Server 2016 permissions are correct (only Domain Admins, Enterprise Admins have rights), nothing to do in this OS…):
…now give all computers under your OU the permission to change their passwords for itself:
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=<name of OU>,DC=<name of dom>,DC=<name of dom>"
next give users the permission to read the passwords for computer in a OU (in my case ComputersOU) – you can make this very granular, ie use a AD group for workstations and another AD group for servers – Domain Admins are ok for my environment:
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=<name of OU>,DC=<name of Dom>,DC=<name of Dom>" -AllowedPrincipals "Domain Admins"
Create Local Password Policy:
Last step is to create a policy for changing local passwords, complexity and other – LAPS setup had installed a ADM template on your management workstation for that – so if you have also Group Policy Editor installed on this workstation open GPMC create a new policy and browse to CompConfig->Policies->Admin Templates->LAPS:
enable pwd management and change the other settings depending on your needs:
…if you have another policy that disables the local account named “Administrator” and create another user with the name ie “_adm_localAdmin” you must enable this policy setting and change the name to the name of your local admin account (if you have no policy like that and want to change the default local account named “Administrator” you can leave this as default – not configured:
dont forget to link your password policy to the appropriate OUs..
LAPS Setup installs a GUI Utility called “LAPS UI” on your management workstation:
or you find it in AD Users and Computers -> Computer Object -> Attributes (dont forget to check View->Advanced to show this tab):