LAPS and MDT

lupinlicious 126 Reputation points
2022-04-23T06:25:23.223+00:00

Dear all,

I have a few questions about LAPS and MDT, I would appreciate some guidelines on how to implement this:

  1. I have server but with no access to manage AD/DC from the organization and wondering if I'll be able to install LAPS on my MDT server?
  2. Will I be able to extend the AD-schema, am I able to do this with, Update-AdmPwdADSchema ? Or which OU do I need to take into account?
  3. I'm using local administrator accounts for different tasks, like MDT_BA, will MDT break when using random passwords if I'm using LAPS and how will it work with the customsettings.ini?

Thaaaanks!

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,442 questions
Microsoft Deployment Toolkit
Microsoft Deployment Toolkit
A collection of Microsoft tools and documentation for automating desktop and server deployment. Previously known as Microsoft Solution Accelerator for Business Desktop Deployment (BDD).
824 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,336 Reputation points
    2022-04-26T09:48:41.97+00:00

    Hi there,

    Yes, you will be able to install LAPS on my MDT server. You can add an application in MDT or add a custom command in your task sequence to silently install LAPS.

    Silent install command:
    Batchfile
    msiexec /i <file location>LAPS.msi /quiet

    Once LAPS are in place, the Group Policy client-side extension (CSE) installed on each computer will update the local administrator's password

    Step-by-Step *****: How to Configure Microsoft Local Administrator Password Solution (LAPS) https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-how-to-configure-microsoft-local/ba-p/2806185

    --If the reply is helpful, please Upvote and Accept it as an answer–

    1 person found this answer helpful.
    0 comments
  2. Simon Ren-MSFT 29,791 Reputation points Microsoft Vendor
    2022-04-25T08:15:24.567+00:00

    Hi,

    Thanks for posting in Microsoft MECM Q&A forum.

    Per my experience, we can't achieve LAPS without access to manage AD/DC. An domain account that has Schema Admin rights is needed to extend the Active Directory Schema. By default, we also need Domain Admins permissions to configure Active Directory Computer Permissions and User Permissions.

    For more detailed steps, please refer to:
    Microsoft LAPS Step by Step – Part 1
    Microsoft LAPS Step by Step – Part 2
    Please note: The links are not from Microsoft, just for your reference.

    Hope it helps. Thanks for your time.

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments