Microsoft LAPS for Homelab
I recently rolled out laps for some of my homelab servers. With LAPS enabled, I no longer have to keep a list of local administrator passwords for my Windows servers. It also prevents you from having one local administrative password across all your VMs.
Prereqs
First, LAPS is a newer feature and only supported on newer OS versions. See: Supported Platforms
This one is kind of obvious, but the VMs must be either Azure Active Directory or Active Directory joined (or hybrid).
DFL of 2016 or higher.
Implementation
My devices are domain joined so I will be proceeding with the steps for that scenario.
1) First, I made sure my account was in the schema admins group. This built-in AD group is domain\Schema Admins. If you just added your admin account to that group, you may need to log off and back on again, before running the below PowerShell command.
2) Then I can run the schema extensions PowerShell command from one of my 2019 or 2022 domain controllers
Update-LapsADSchema -Verbose
3) I also created a test OU for this. I then created a LAPS GPO and applied it to the OU (make sure you move at least one test VM to that OU). LAPS configuration can be found at Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS.
4) Lastly, I had to grant permission for LAPS to reset the local passwords. In the PowerShell line below, “Laps Test” is the name of my test OU. This field accepts either the name or distinguishedName. Both examples below:
Set-LapsADComputerSelfPermission -Identity "Laps Test"
Set-LapsADComputerSelfPermission -Identity "OU=Laps Test,DC=your,DC=domain"
Testing and Verification
Now that everything is set up and has had time to sync, I can test it out and make sure I am rotating the local administrator password on one of my test servers.
On one of my domain controllers I ran the following command to get the password of my test server named “xcpconfigmgr”
Get-LapsADPassword -Identity xcpconfigmgr -AsPlainText
And the output I got
I can then test that password by logging in as the local admin account.
If you run into any issues, take a look at Event Viewer on the target workstation (Applications and Services Logs -> Microsoft -> Windows -> LAPS)