Michael Wu

The Life of a Cloud Engineer

How to deploy the LAPS by SCCM – Part 3

In this series of posts, I will demonstrate the steps to deploy Local Administrator Password Solution(LAPS) by SCCM. This is the third post that shows the deployment procedure in server side and how to check the password. You can also check the other posts by the below links:

Modify the Active Directory Schema

The AD Schema needs to be extended by two new attributes.

  • ms-Mcs-AdmPwd – Stores the password in clear text
  • ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password

Make sure you have LAPS PowerShell modeule installed in the workstation in Part1.

Run the following PowerShell command as Administrator:


Import-module AdmPwd.PS

Update-AdmPwdADSchema

LAPS_SCCM_AD_Schema

Delegate Computer Self Permission

This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password.

Run the following PowerShell command as Administrator:


Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

LAPS_SCCM_machine_permission

Group Policy

  • Change the Group Policy Settings. The settings are located under Computer Configuration\Administrative Templates\LAPS.

LAPS_SCCM_GPO1

  • Enable the local admin password management

LAPS_SCCM_GPO2

Check Password

There are several ways you can check the password.

1. AD object

You can check the password in the Attribute Editor in the AD object.

 LAPS_SCCM_CheckPwd1

2. Fat GUI

If you have Fat client UI installed from the Part1, you can check the password from GUI tool. This is the fast way for a single computer.

LAPS_SCCM_CheckPwd2

3. PowerShell

My favorite method is to use PowerShell to check password. Imagine that you are out of office to troubleshooting client’s computer. You need local password but there is no Fat GUI or AD snap-in in the computer. PowerShell will save your day.

For the single computer:

Get-AdmPwdPassword -ComputerName <computername>

LAPS_SCCM_CheckPwd3

If you would like to check multiple computers in a specific OU:

$ou = "ou=desktops,dc=mike,dc=local"
Get-ADComputer -SearchBase $ou -Filter *|Get-AdmPwdPassword
TIP: If you don`t see the password changed, try to run GPUPDATE /FORCE in the local machine.

You can find more detail procedure in the LAPS_OperationsGuide. Please leave comments if you think this is helpful or any questions 🙂

Read More