You can deploy Windows to devices in many ways through a number of 1st- and 3rd-party solutions. But while different vendors offer similar ways to get your Windows-based images on computers, many of those solutions offer little control over local accounts–and more specifically, the local Administrator account.

One lingering problem is that the local Administrator password is typically copied to all the devices on which the image is deployed. Since the local Administrator account can control everything that can be performed on a computer, if the single password is compromised on any system, all systems are susceptible to compromise.

To combat this in a safe, secure manner, Microsoft developed LAPS as a means of administering the Administrator account password stored on each computer by leveraging Active Directory and Group Policy to force a randomized password to be created for each device and written to an attribute stored in the computer object’s AD account. For added security, the randomized password is automatically changed after a specified length of time.

SEE: Securing Windows policy (Tech Pro Research)

To successfully implement LAPS, you’ll need to adhere to these requirements:

Managing LAPS is a straightforward process once the initial installation has occurred. Before anything can be configured, the AD schema must be extended. Luckily, there’s a built-in PowerShell script that will allow Schema Admins to perform this task simply. After the schema has been extended, AD will be prepared with the proper attributes to store LAPS passwords as they are generated and written back to Active Directory.

Importing the included ADMX template into Group Policy will add the policies necessary to manage the heart of the password policy in LAPS, including password recipe and expiration. Once the policies are imported, they can be configured to meet your organization’s needs and applied to the devices you want to apply the LAPS policies to.

Once the policies have replicated across the domain, the clients will receive the policy and LAPS will generate a random password according to the recipe configured in GPO and write that newly created password back to AD in the attribute titled ms-mcs-AdmPwd, which is visible only to Domain Admins by default, while ms-mcs-AdmPwdExpirationTime stores the expiration timestamp.

Also read…

Your take

How does your organization manage local Admin passwords? What procedures have worked best (or not worked at all)? Share your stories with fellow TechRepublic members in the comments section.