Local-Administrator-Password-Solution (LAPS) guide

The LAPS tool from Microsoft is designed to manage the local Administrator account password on Windows workstations and servers. In Academic Support (AS) departments it is automatically deployed for all managed workstations. (If you don’t have it installed, check in your Software Center for its status.) A different random password is set on each machine.

The local Administrator account should only be used when the network is inaccessible or domain access is unavailable. Your Nexus "bang" account should be the primary account used to log on to all systems.

Each AS group/department has a NEXUS security group applied to their department workstations granting administrator-level access and can be delegated the appropriate permissions so they can view and reset passwords for their systems.

Included in this article:

Deployment

LAPS is a group policy extension that is automatically deployed to all Academic Support workstations. The most recent installer files can be found at \\fileapps\winapps$\StandardApps\LAPS. The version you install must match the architecture of your system: 32 bit or 64 bit. To install the LAPS console or the PowerShell extensions you will need to modify the LAPS installation by completing the following steps:

  1. Run the 32 or 64 bit installer.

  2. Click Change.

     

  3. Select the components you want to install.

    1. Select Fat client UI for the LAPS console

    2. Select PowerShell module for the Windows PowerShell

    3. Click Next to complete the installation

Password settings

Passwords are reset every 90 days on each workstation. Passwords are 12 characters long and are a mix of Uppercase letters + lowercase letters + numbers. The time that the password changes will vary each day and likely won’t be consistent across machines.

 

Using the LAPS password:

  1. The username for the local admin account on the laptop is “.\istadministrator”

    1. Enter a dot and backslash prefix since it is a local account.

      1. Username = .\istadministrator

      2. Password = [Password-From-LAPS]

Reading random passwords:

It can sometimes be difficult to differentiate between an O (capital letter) and a 0 (number zero) in the password string.

Tip: Copying the password into Word will help to clarify the characters.

How to view and expire passwords

Your Nexus "bang" account (!userid) is required to view passwords.

There are two methods to view passwords for workstations:

Using the LAPS UI console.

This is the preferred way. See the Deployment section above for information on installing the LAPS fat client UI.

or

Using the Windows PowerShell (described below)

LAPS Console

Start > All Programs > LAPS > LAPS UI and then right-click to choose “Run as administrator.”

To view a password

In the LAPS console, type the hostname of the computer for which you wish to view the password and click Search.

To expire a password

To expire the password, select the time you want it to expire and click Set. For the password to change on the machine, group policy will need to refresh. To force a group policy refresh, open a command prompt and type gpupdate /force.


Windows PowerShell

The PowerShell modules will work on Windows 8.1 and Windows Server 2012R2. For Windows 7, users may need to install .NET Framework 4.5 and Windows Management Framework.

To view a password

  1. Open an administrative PowerShell Prompt.

    1. Start > All Programs > Accessories > Windows PowerShell

    2. If logged onto a standard user account, right-click on Windows PowerShell > Run as administrator > providing your Nexus bang account credentials

  2. Run the command Import-Module AdmPwd.PS.

Run the command Get-AdmPwdPassword host where host is the name of the computer you want to query the password for.

To expire a password

If a PowerShell Window is not open, complete steps 1 and 2 above. Then run the command Reset-AdmPwdPassword –Computername host where host is the name of the computer you want to reset.

For the password to change on the machine, group policy will need to refresh. To force a group policy refresh, open a command prompt and type gpupdate /force.

Related articles

Need help?

Contact the IST Service Desk online or 519-888-4567 ext. 44357.

Article feedback

If you’d like to share any feedback about this article, please let us know.