This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 22%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hello,
I had found an article on installing LAPS and went through installing on a domain controller. I setup a test OU and put a few pc's in it and only ran commands so that the one OU and pc's in it were managed as a test. I did install the full LAPS on the DC (or all options I should say). I then found an article that says don't install the GPO extension on the DC. I'm hoping this doesn't phase anything if I did not direct LAPS GP to point to our Domain Controllers OU and do not plan on it. I believe if it's not set to that OU things should be fine yet and it should not phase the domain admin password on the server end?
Can someone correct me? And if I need to revert this right now would be the time as I only have it on a few test computers ( and it is working).
Just want to make sure nothing with domain password for admin will break.
I am guessing the reason they say not to is so that incase you do point it at domain controller OU it will change admin password for domain? Or if someone can better explain this and help me I would appreciate it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
If we want to manage the local administrator account on the domain joined workstations, we need to do the following operations on the workstations:
Deploy the LAPS client-side-extension software.
Enable " local admin password management” setting.
More important thing is it only works for the local admin account.
So, I don't think it will change the domain amin's password even if you install the LAPS client-side-extension part on the manager computer.
But the LAPS client-side-extension part is not necessary for management.
You can remove this part even if if will not cause big problems.
Best Regards,
Password will be changed by LAPS only when the LAPS GPO is applied and the password policy is set there. If you just installed the laps client on DC, nothing yet will happen.
@Pavel yannara Mirochnitchenko @Fan Fan Hello and thank you both for posting some answers. We went ahead and removed the GPO Extension from the LAPS tool install on the DC. So now it just has management UI and of course the powershell and GPO Template etc.
On top of this when we initially set it up we setup a test OU, put 2 test machines in it, did all commands against this particular OU for LAPS in powershell as instructions note for install. Also created a sec group to have permissions to read and reset pass in attributes for LAPS pwd and expiration in AD and assigned that to the OU as well. We setup Group policy and applied it to only this OU, no other OU's or workstations/servers/DC's etc. This was to test functionality. We turned on the 2 GP features which was managed local admin pass and length and expiration of password in policy.
This being said, this should only be applied and working against this OU. Can we confirm that is the case based off of what I explained? The passwords on our test machines were in AD and as expected were created and stored in AD.
I appreciate the responses!
Hi,
This should only be applied and working against this OU as you mentioned above.
You can't manage the password outside of the specific OU.
Fan
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,