despliegue_de_laps
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| despliegue_de_laps [2025/11/26 16:34] – [Despliegue de LAPS] oso | despliegue_de_laps [2025/11/26 16:37] (current) – oso | ||
|---|---|---|---|
| Line 106: | Line 106: | ||
| * **Set-AdmPwdReadPasswordPermission** – delega lectura. | * **Set-AdmPwdReadPasswordPermission** – delega lectura. | ||
| * **Set-AdmPwdResetPasswordPermission** – delega reseteo. | * **Set-AdmPwdResetPasswordPermission** – delega reseteo. | ||
| + | |||
| + | |||
| + | |||
| + | ====== Windows LAPS Deployment Steps (current) ====== | ||
| + | |||
| + | ===== 1. Update Domain Controllers ===== | ||
| + | * Ensure all DCs are patched to at least the April 11, 2023 update (Windows Server 2019/2022 or newer). | ||
| + | * Run Windows Update on *all* DCs before schema extension. | ||
| + | |||
| + | ===== 2. Extend Active Directory Schema ===== | ||
| + | * Open PowerShell as Administrator on a supported DC. | ||
| + | * Import the LAPS module: | ||
| + | < | ||
| + | ipmo LAPS | ||
| + | </ | ||
| + | * Verify module: | ||
| + | < | ||
| + | gcm -Module LAPS | ||
| + | </ | ||
| + | * Extend schema: | ||
| + | < | ||
| + | Update-LapsADSchema | ||
| + | </ | ||
| + | |||
| + | ===== 3. Verify LAPS Attributes ===== | ||
| + | * Run again with verbose: | ||
| + | < | ||
| + | Update-LapsADSchema -Verbose | ||
| + | </ | ||
| + | * Confirm attributes like **msLAPS-Password**, | ||
| + | |||
| + | ===== 4. Set Computer Self-Permission ===== | ||
| + | * Grant managed devices permission to update their own password: | ||
| + | < | ||
| + | Set-LapsADComputerSelfPermission -Identity " | ||
| + | </ | ||
| + | |||
| + | ===== 5. Configure Group Policy ===== | ||
| + | * Create a new GPO (e.g., **C_LAPS**). | ||
| + | * Navigate: **Computer Configuration → Policies → Administrative Templates → System → LAPS**. | ||
| + | * Enable and configure: | ||
| + | - **Configure password backup directory** → Active Directory or Entra ID | ||
| + | - **Password Settings** → complexity, length, expiration | ||
| + | - **Name of administrator account to manage** → leave *Not Configured* to manage built-in .\Administrator, | ||
| + | - **Configure authorized password decryptors** → define who can read/reset passwords | ||
| + | |||
| + | ===== 6. Create/ | ||
| + | * If using a custom account (e.g., lapsadmin), deploy it via GPO or script. | ||
| + | * Disable other local admin accounts for security. | ||
| + | |||
| + | ===== 7. Retrieve Passwords ===== | ||
| + | * **GUI**: ADUC → Computer object → *LAPS tab* → Show Password | ||
| + | * **PowerShell**: | ||
| + | < | ||
| + | Get-LapsADPassword -Identity " | ||
| + | </ | ||
| + | |||
| + | ===== 8. Test & Reset ===== | ||
| + | * Sign in with the managed account and password. | ||
| + | * Reset manually if needed: | ||
| + | < | ||
| + | Reset-LapsPassword | ||
| + | </ | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ==== Key Notes ==== | ||
| + | * No MSI client install required — Windows LAPS is built into supported OS versions. | ||
| + | * Legacy LAPS UI does **not** work with Windows LAPS; use ADUC or PowerShell. | ||
| + | * Best practice: start with .\Administrator, | ||
| + | |||
| + | https:// | ||
| + | |||
despliegue_de_laps.1764174883.txt.gz · Last modified: 2025/11/26 16:34 by oso