How to Deploy the LAPS by SCCM – Part 3
This post demonstrates server-side deployment procedures and password verification methods for LAPS via SCCM.
Modify the Active Directory Schema
Active Directory schema extension requires two new attributes:
- ms-Mcs-AdmPwd – Stores the password in clear text
- ms-Mcs-AdmPwdExpirationTime – Stores the time to reset the password
Ensure the LAPS PowerShell module is installed (as covered in Part 1).
Execute this command as Administrator:
Import-module AdmPwd.PS
Update-AdmPwdADSchemaDelegate Computer Self Permission
This step enables machines to update their own managed local Administrator password and expiration timestamp.
Run as Administrator:
Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>Group Policy
- Modify Group Policy Settings located under:
Computer Configuration\Administrative Templates\LAPS - Enable the local admin password management setting
Check Password
1. AD Object
View the password via Attribute Editor in the AD object properties.
2. Fat GUI
If the Fat client UI is installed from Part 1, retrieve passwords quickly from the GUI tool for individual computers.
3. PowerShell
For a single computer:
Get-AdmPwdPassword -ComputerName <computername>For multiple computers in a specific OU:
$ou = "ou=desktops,dc=mike,dc=local"
Get-ADComputer -SearchBase $ou -Filter * | Get-AdmPwdPasswordTIP: If passwords haven’t changed, run
GPUPDATE /FORCEon the local machine.
For detailed procedures, consult the LAPS_OperationsGuide documentation.