Skip to content

Install

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
<#
    .Synopsis
    Local Admin Password Solution (LAPS)
    .DESCRIPTION
    1 - Downloads LAPS
    2 - Creates the required management groups
    3 - Updates AD Schema to include LAPS extensions
    4 - Creates a placeholder LAPS GPO
    5 - Configures the OUs where Readers and resetters will be granted permissions and Computers will have self delegation
    6 - Installs LAPS on Member Servers
    7 - Install LAPS UI on administration clients/servers
    .EXAMPLE
    Example of how to use this cmdlet
    .EXAMPLE
    Another example of how to use this cmdlet
#>

#download LAPS install file x64
Invoke-WebRequest -UseBasicParsing -Uri https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi -OutFile "$env:UserProfile\Downloads\LAPS.x64.msi"

#install PowerShell management tools, Management UI and copy ADMX template to policy store on management machine
Start-Process -Wait -FilePath msiexec.exe -ArgumentList "/i $env:UserProfile\Downloads\LAPS.x64.msi ADDLOCAL=Management.PS,Management.ADMX,Management.UI /q"

#Create LAPS groups 
#OU path where Groups will be created
$LapsGroupsOUPath = 'OU=Groups,DC=domain,DC=local'

#create groups
New-ADGroup -Name 'LAPS Readers' -GroupScope Global -Path $LapsGroupsOUPath
New-ADGroup -Name 'LAPS Resetters' -GroupScope Global -Path $LapsGroupsOUPath

Add-ADGroupMember -Identity 'LAPS Readers' -Members 'Local Admins', 'Domain Admins'
Add-ADGroupMember -Identity 'LAPS Resetters' -Members 'Local Admins', 'Domain Admins'


#create empty GPO
$GPOOUPath = 'OU=Servers,DC=domain,DC=local'
New-Gpo -Name 'LAPS' | New-GPLink -Target $GPOOUPath

# > Configurar manualmente definições da Grout Policy LAPS

#extend AD schema (Schema Admins and Enterprise Admins membership needed)
Update-AdmPwdADSchema

#Set delegation model
#OU path where Readers and resetters will be granted permissions and Computers will have self delegation
$OUPath = 'OU=ERP,OU=Dedicated,OU=Servers,DC=domain,DC=local',
'OU=RDS,OU=Dedicated,OU=Servers,DC=domain,DC=local',
'OU=SQL,OU=Dedicated,OU=Servers,DC=domain,DC=local',
'OU=ERP,OU=Shared,OU=Servers,DC=domain,DC=local',
'OU=RDS,OU=Shared,OU=Servers,DC=domain,DC=local',
'OU=SQL,OU=Shared,OU=Servers,DC=domain,DC=local'


$OUPath | ForEach-Object -Process {
  #Add machine rights to report passwords to AD
  Set-AdmPwdComputerSelfPermission -Identity $_

  #User perms to read and reset passwords
  Set-AdmPwdReadPasswordPermission -Identity $_ -AllowedPrincipals 'LAPS Readers'
  Set-AdmPwdResetPasswordPermission -Identity $_ -AllowedPrincipals 'LAPS Resetters'
}

$MemberServerAdmin = Get-Credential -UserName domain\rissys1 -Message 'Enter credentials to access member servers'
$MemberServers = (Get-ADComputer -Searchlocal 'OU=Servers,DC=domain,DC=local' -Filter {
    OperatingSystem -Like 'Windows*Server*' -and Enabled -eq $true
  } |
  Where-Object -FilterScript {
    $_.DistinguishedName -notlike '*OU=Domain Controllers*'
}).Name

$MemberServersSessions = New-PSSession -ComputerName $MemberServers

foreach ($session in $MemberServersSessions)
{
  Copy-Item -Path $env:UserProfile\Downloads\LAPS.x64.msi -ToSession $session -Destination 'C:\Windows\Temp' -Force
}

Invoke-Command -Session $MemberServersSessions -ScriptBlock {
  Start-Process -Wait -FilePath msiexec.exe -ArgumentList '/i C:\Windows\Temp\LAPS.x64.msi /q'
}

#Forces gpupdate on member servers
Invoke-Command -ComputerName $MemberServersSessions -ScriptBlock {
  Write-Output -InputObject N | gpupdate.exe /force
} -Credential $MemberServerAdmin

#Check for possible errors member servers
Invoke-Command -ComputerName $MemberServersSessions -Credential $MemberServerAdmin -ScriptBlock {
  Get-WinEvent -LogName Application 
} |
Where-Object -Property ProviderName -EQ -Value AdmPwd |
Sort-Object -Property PSComputerName |
Format-Table -AutoSize

#Forces password change
foreach ($Server in $MemberServersSessions) 
{
  Reset-AdmPwdPassword -ComputerName $Server
}

#Install LAPS UI
$LAPSUIServers = 'RDS001'
$LAPSUIServersSessions = New-PSSession -ComputerName $LAPSUIServers -Credential $MemberServerAdmin

foreach ($session in $LAPSUIServersSessions)
{
  Copy-Item -Path $env:UserProfile\Downloads\LAPS.x64.msi -ToSession $session -Destination 'C:\Windows\Temp' -Force
}
Invoke-Command -Session $LAPSUIServersSessions -ScriptBlock {
  Start-Process -Wait -FilePath msiexec.exe -ArgumentList '/i C:\Windows\Temp\LAPS.x64.msi ADDLOCAL=Management.UI /q'
}