question

lupinlicious avatar image
0 Votes"
lupinlicious asked LimitlessTechnology-2700 answered

LAPS and MDT

Dear all,

I have a few questions about LAPS and MDT, I would appreciate some guidelines on how to implement this:

  1. I have server but with no access to manage AD/DC from the organization and wondering if I'll be able to install LAPS on my MDT server?

  2. Will I be able to extend the AD-schema, am I able to do this with, Update-AdmPwdADSchema ? Or which OU do I need to take into account?

  3. I'm using local administrator accounts for different tasks, like MDT_BA, will MDT break when using random passwords if I'm using LAPS and how will it work with the customsettings.ini?


Thaaaanks!



windows-server-2019mem-mdt
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered

Hi,

Thanks for posting in Microsoft MECM Q&A forum.

Per my experience, we can't achieve LAPS without access to manage AD/DC. An domain account that has Schema Admin rights is needed to extend the Active Directory Schema. By default, we also need Domain Admins permissions to configure Active Directory Computer Permissions and User Permissions.

For more detailed steps, please refer to:
Microsoft LAPS Step by Step – Part 1
Microsoft LAPS Step by Step – Part 2
Please note: The links are not from Microsoft, just for your reference.

Hope it helps. Thanks for your time.

Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered

Hi there,

Yes, you will be able to install LAPS on my MDT server. You can add an application in MDT or add a custom command in your task sequence to silently install LAPS.

Silent install command:
Batchfile
msiexec /i <file location>LAPS.msi /quiet

Once LAPS are in place, the Group Policy client-side extension (CSE) installed on each computer will update the local administrator's password

Step-by-Step *: How to Configure Microsoft Local Administrator Password Solution (LAPS) https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-how-to-configure-microsoft-local/ba-p/2806185



--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.