Local Administrator Password Solution

1. Installation

  • Note: Since April 2023, there is no need anymore to install Legacy LAPS on Windows 10 and Windows 11 computers.

  • Note: See LAPS Overview.

1.1. IT Computers

  • Run the LAPS.x64.msi file with administrative privileges.

  • Click Next.

  • Check I accept the terms in the License Agreement.

  • Click Next.

  • Select Management Tools and all its sub features.

  • Click Next.

  • Click Install.

  • Click Finish.

  • Run the gpupdate command at a Command Prompt with administrative privileges.

1.2. Other Computers

  • Run the LAPS.x64.msi file.

  • Click Next.

  • Check I accept the terms in the License Agreement.

  • Click Next.

  • Click Next.

  • Click Install.

  • Click Finish.

  • Run the gpupdate command at a Command Prompt with administrative privileges.

2. Usage

2.1. Command Prompt

To prevent having to type the LAPS password for IT notebooks, instead log on with the SMRU\ADadmin account. When SMRU\ADadmin is a member of the Administrators group, the user will have administrative privileges. Regular standard domain users can be given a separate domain account that is a member of the Administrators group on the computer that they need administrative privileges for.

  • Log on as a user who is a member of SMRU-IT-LAPS-ReadPassword_Grp.

  • Several useful aliases/commands are available in Delta Windows Tools to support LAPS.

    Set-AdministratorPassword       # Set local built-in Administrator password.

Start-AdminCommandPrompt        # Start Command Prompt with administrative privileges.

rem Get AD LAPS password for current or specified computer.
Get-AdministratorPassword [<computer>]

rem Logon as Administrator with RDP to computer using AD LAPS password.
rdp
rdp 127.0.0.2
rdp <computer>

rem Logon as Administrator with PuTTY to computer using id_rsa-auto.ppk private key.
smru-putty Administrator@<computer>
smru-putty Administrator@localhost

rem Logon as Administrator with SSH to computer using id_rsa-auto private key.
smru-ssh Administrator@<computer>
smru-ssh Administrator@localhost

Show-RemoteComputers
rdp <computer> <rdp port>
smru-putty -P <ssh port> Administrator@tbhf-web-mrm
smru-ssh -p <ssh port> Administrator@tbhf-web-mrm

# Optional:
scp -p smru@10.10.1.2:/media/Windows/Software/_Delta/Delta-Windows-Tools-#.#.#-x64.exe C:\Tmp
scp -p smru@10.10.1.2:/media/Windows/Software/CrowdStrike/SMRU/WindowsSensor-6.38.15205.0.exe C:\Tmp
scp -p smru@10.10.1.2:/media/Windows/Software/CrowdStrike/TBHF/WindowsSensor.MaverickGyr-6.38.15205.exe C:\Tmp

scp.exe -p -P <ssh port> W:\Software\CrowdStrike\SMRU\WindowsSensor-6.38.15205.0.exe Administrator@tbhf-web-mrm:

  • Note: For the rdp and smru-putty aliases to work make sure to have the id_rsa-auto.ppk file in your home folder.

  • Note: For the smru-ssh alias to work make sure to have the id_rsa-auto file in your home folder.

2.2. PowerShell

  • Log on as a user who is a member of SMRU-IT-LAPS-ReadPassword_Grp.

  • Enter the following commands at a PowerShell Command Prompt.

    Get-LapsADPassword -Identity $Env:ComputerName
Get-LapsADPassword -Identity SMRUWS-IT00
Reset-LapsPassword              # Rotate LAPS password on current computer.