Microsoft updated the tool I mentioned in an old post of mine. This tool is aimed to help you mitigate MS14-025 and elevate the protection level of your workstations and servers inside your Active Directory domain.Formerly known as AdminPwd, Local Administrator Password Solution (LAPS) is now much more user friendly and available as an official Microsoft download.
Local Administrator Password Solution for Domain Joined Computers
I really recommend you to read the documentation included in the download link, it’s good reading, the operation guide is a complete walk-through about how to install and operate the tool.
As illustrated, the tool is based on Client Side Extension (CSE) GPO to trigger a password change for the local administrator, and then store it in your Active Directory. This implies a local DLL on each computer you want to be able to renew its password with the new rules. The documentation provide you a way to install the DLL with the MSI in a complete silent installation:
msiexec /q /i <path>LAPS.<platform>.msi ADDLOCAL=<FeatureID>
You can manage the settings and parameters of the password complexity with this registry folder:
Or, you can use a GPO from the ADMX file in the installer.
It still require an Active Directory schema extension, the added attributes are :
The new package also provide you the needed cmdlets to manage permissions on those attributes:
Note: You’ll notice the old name of the tool as the PowerShell module name.
Local Administrator Password solution a very easy way to protect you against MS14-025, I highly recommend you to deploy it as soon as possible.