It’s actually been around for a while now – LAPS or Local Administrator Password Solution – but honestly, it’s not something I’ve ever encountered in all the networks I’ve ever managed. I was introduced to LAPS when I ran Ping Castle against my own environment, as a strongly recommended solution to implement.
The concept is pretty simple – LAPS sets a Local Administrator password policy against all the computers (except domain controllers) in a domain environment. A typical policy:
- Password is reset every X number of days
- Password meets complexity requirements
- Password meets length requirements
In my own environment I set a policy of 90 days and 24 completely randomized characters.
I found lots of resource online for getting started:
- How to install and configure Microsoft LAPS – 4sysops
- How to Configure Microsoft Local Administrator Password Solution (LAPS)
Both sites are great at detailing out the process.
The drawbacks I encountered:
- If deploying the MSI package via GPO you do have to reboot the system for the install to happen
- It doesn’t work for Domain-Joined systems in Azure unless you’ve planned for this in advance
When you deploy an Azure Windows VM, the ‘administrator’ account is reserved by Azure, so you’re prompted to create your own. Out of the box configurations for LAPS utilizes the Administrator account, so unless you plan ahead and have a policy that resets the default Administrator to a different username, and incorporated the same username into your LAPS policy, your Azure Windows VMs will accept the policy but never return a password.
Truthfully I did cheat this last bit by just adding the Administrator username to the Azure VM and giving it a random password. LAPS then did grab that account and reset the password according to policy. This isn’t the right way to do it though, so I don’t recommend it. Best practice would be to set your own Local Administrator username and implement across your domain, and incorporate into your LAPS policy.
