Hello,

Microsoft updated the tool I mentioned in an old post of mine. This tool is aimed to help you mitigate MS14-025 and elevate the protection level of your workstations and servers inside your Active Directory domain.Formerly known as AdminPwd, Local Administrator Password Solution (LAPS) is now much more user friendly and available as an official Microsoft download.

Local Administrator Password Solution for Domain Joined Computers

I really recommend you to read the documentation included in the download link, it’s good reading, the operation guide is a complete walk-through about how to install and operate the tool.

As illustrated, the tool is based on Client Side Extension (CSE) GPO to trigger a password change for the local administrator, and then store it in your Active Directory. This implies a local DLL on each computer you want to be able to renew its password with the new rules. The documentation provide you a way to install the DLL with the MSI in a complete silent installation:

msiexec /q /i <path>LAPS.<platform>.msi ADDLOCAL=<FeatureID>

Local Administrator Password Solution for Domain Joined Computers – Feature IDs

You can manage the settings and parameters of the password complexity with this registry folder:

HKLMSoftwarePoliciesMicrosoft ServicesAdmPwd

Or, you can use a GPO from the ADMX file in the installer.

It still require an Active Directory schema extension, the added attributes are :

• ms-Mcs-AdmPwdExpirationTime
• ms-Mcs-AdmPwd

The new package also provide you the needed cmdlets to manage permissions on those attributes:

Local Administrator Password Solution for Domain Joined Computers – PowerShell Cmdlets

Note: You’ll notice the old name of the tool as the PowerShell module name.

Conclusion

Local Administrator Password solution a very easy way to protect you against MS14-025, I highly recommend you to deploy it as soon as possible.