1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112 | <#
.Synopsis
Local Admin Password Solution (LAPS)
.DESCRIPTION
1 - Downloads LAPS
2 - Creates the required management groups
3 - Updates AD Schema to include LAPS extensions
4 - Creates a placeholder LAPS GPO
5 - Configures the OUs where Readers and resetters will be granted permissions and Computers will have self delegation
6 - Installs LAPS on Member Servers
7 - Install LAPS UI on administration clients/servers
.EXAMPLE
Example of how to use this cmdlet
.EXAMPLE
Another example of how to use this cmdlet
#>
#download LAPS install file x64
Invoke-WebRequest -UseBasicParsing -Uri https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS.x64.msi -OutFile "$env:UserProfile\Downloads\LAPS.x64.msi"
#install PowerShell management tools, Management UI and copy ADMX template to policy store on management machine
Start-Process -Wait -FilePath msiexec.exe -ArgumentList "/i $env:UserProfile\Downloads\LAPS.x64.msi ADDLOCAL=Management.PS,Management.ADMX,Management.UI /q"
#Create LAPS groups
#OU path where Groups will be created
$LapsGroupsOUPath = 'OU=Groups,DC=domain,DC=local'
#create groups
New-ADGroup -Name 'LAPS Readers' -GroupScope Global -Path $LapsGroupsOUPath
New-ADGroup -Name 'LAPS Resetters' -GroupScope Global -Path $LapsGroupsOUPath
Add-ADGroupMember -Identity 'LAPS Readers' -Members 'Local Admins', 'Domain Admins'
Add-ADGroupMember -Identity 'LAPS Resetters' -Members 'Local Admins', 'Domain Admins'
#create empty GPO
$GPOOUPath = 'OU=Servers,DC=domain,DC=local'
New-Gpo -Name 'LAPS' | New-GPLink -Target $GPOOUPath
# > Configurar manualmente definições da Grout Policy LAPS
#extend AD schema (Schema Admins and Enterprise Admins membership needed)
Update-AdmPwdADSchema
#Set delegation model
#OU path where Readers and resetters will be granted permissions and Computers will have self delegation
$OUPath = 'OU=ERP,OU=Dedicated,OU=Servers,DC=domain,DC=local',
'OU=RDS,OU=Dedicated,OU=Servers,DC=domain,DC=local',
'OU=SQL,OU=Dedicated,OU=Servers,DC=domain,DC=local',
'OU=ERP,OU=Shared,OU=Servers,DC=domain,DC=local',
'OU=RDS,OU=Shared,OU=Servers,DC=domain,DC=local',
'OU=SQL,OU=Shared,OU=Servers,DC=domain,DC=local'
$OUPath | ForEach-Object -Process {
#Add machine rights to report passwords to AD
Set-AdmPwdComputerSelfPermission -Identity $_
#User perms to read and reset passwords
Set-AdmPwdReadPasswordPermission -Identity $_ -AllowedPrincipals 'LAPS Readers'
Set-AdmPwdResetPasswordPermission -Identity $_ -AllowedPrincipals 'LAPS Resetters'
}
$MemberServerAdmin = Get-Credential -UserName domain\rissys1 -Message 'Enter credentials to access member servers'
$MemberServers = (Get-ADComputer -Searchlocal 'OU=Servers,DC=domain,DC=local' -Filter {
OperatingSystem -Like 'Windows*Server*' -and Enabled -eq $true
} |
Where-Object -FilterScript {
$_.DistinguishedName -notlike '*OU=Domain Controllers*'
}).Name
$MemberServersSessions = New-PSSession -ComputerName $MemberServers
foreach ($session in $MemberServersSessions)
{
Copy-Item -Path $env:UserProfile\Downloads\LAPS.x64.msi -ToSession $session -Destination 'C:\Windows\Temp' -Force
}
Invoke-Command -Session $MemberServersSessions -ScriptBlock {
Start-Process -Wait -FilePath msiexec.exe -ArgumentList '/i C:\Windows\Temp\LAPS.x64.msi /q'
}
#Forces gpupdate on member servers
Invoke-Command -ComputerName $MemberServersSessions -ScriptBlock {
Write-Output -InputObject N | gpupdate.exe /force
} -Credential $MemberServerAdmin
#Check for possible errors member servers
Invoke-Command -ComputerName $MemberServersSessions -Credential $MemberServerAdmin -ScriptBlock {
Get-WinEvent -LogName Application
} |
Where-Object -Property ProviderName -EQ -Value AdmPwd |
Sort-Object -Property PSComputerName |
Format-Table -AutoSize
#Forces password change
foreach ($Server in $MemberServersSessions)
{
Reset-AdmPwdPassword -ComputerName $Server
}
#Install LAPS UI
$LAPSUIServers = 'RDS001'
$LAPSUIServersSessions = New-PSSession -ComputerName $LAPSUIServers -Credential $MemberServerAdmin
foreach ($session in $LAPSUIServersSessions)
{
Copy-Item -Path $env:UserProfile\Downloads\LAPS.x64.msi -ToSession $session -Destination 'C:\Windows\Temp' -Force
}
Invoke-Command -Session $LAPSUIServersSessions -ScriptBlock {
Start-Process -Wait -FilePath msiexec.exe -ArgumentList '/i C:\Windows\Temp\LAPS.x64.msi ADDLOCAL=Management.UI /q'
}
|