LAPS or commonly known as the local administrator password solution is a service offered by Microsoft to manage local administrator passwords and keep them stored in an Active Directory (AD). LAPS keeps updating passwords on a regular basis in a fully automated manner, making it easier for you to manage your business without facing any trouble. To make sure that you never have to face any problem while using LAPS, the Microsoft Infrastructure team has implemented various LAPS schema extensions and created some useful permissions to retrieve any passwords that are stored in AD.
The Delegated OU customers may or may not use LAPS depending on their requirements; however, it’s recommended to use LAPS for a smooth workflow and overall process experience.
How To Implement LAPS For Your Business?
Usually, it’s the responsibility of a Delegated OU customer to enable LAPS for their client computers in order to get access to the stored passwords. Doing so helps them keep everything in check just in case something goes wrong on the client-side or if they forget their original passwords and want to retrieve it.
There are three parts of LAPS implementation on the customer side — Group Policy Object (GPO) administrative template files widely known as ADMX files, client-side extension (CSE), and GPO to apply LAPS settings on their computers along with administrative tools that are used for retrieving stored passwords.
If you want to improve the effectiveness of your client-facing business, learn to use Microsoft laps as soon as possible. In order to implement LAPS, you need to understand the entire procedure.
The first stage is to prepare the target computer. You need to install CSE on any computer where you want to implement LAPS. It’s a single dll file that has the logic to process the password setting, change password, and store new password AD. There are two ways to install CSE — either by running setup and choosing AdmPwd GPO extension or by copying the damped.dll to the computer and attach it with regsvr32.
The next stage is to create a GPO for enabling and configuring LAPS. For this, you need to install the admx files with the help of running setup and selecting the option to install GPO Editor Templates.
To retrieve passwords, you can use any of these three tools — active directory users and computers (ADUC), PowerShell, or a fat client.