How to: Migrate Local Administrator Password Solution (LAPS)

Local Administrator Password Solution (LAPS) is a Microsoft tool designed to improve security by automatically managing unique passwords for local administrator accounts on domain-joined computers. When migrating LAPS from one server to another, it is essential to ensure a seamless transfer of password management without compromising security. This comprehensive guide will walk you through the steps of migrating LAPS to a new server, allowing you to maintain strong local administrator account security across your domain-joined computers.

Step 1: Prepare the Destination Server

Before starting the migration, ensure that the destination server is ready to assume the LAPS management role:

1. Log in to the destination server using administrative credentials.
2. Ensure that the destination server meets the system requirements for LAPS.
3. Download and install the LAPS installer package on the destination server from the Microsoft Download Center.
4. Verify that the destination server is a member of the same Active Directory domain as the source server.

Step 2: Export LAPS Configuration from the Source Server

On the source server, use the LAPS UI or PowerShell cmdlets to export the LAPS configuration:

1. Open the LAPS UI on the source server or use the “Get-AdmPwdADSchemaAttribute” PowerShell cmdlet.
2. Export the LAPS settings, including the extended Active Directory schema attributes, to a backup file or a script.
3. Save the backup file in a secure location accessible from the destination server.

Step 3: Transfer the Backup File to the Destination Server

Copy the LAPS backup file containing the exported settings from the source server to the destination server:

1. Use a secure method to transfer the backup file to the destination server. You can use file sharing, USB drives, or any other preferred method.
2. Place the file in a location accessible to the destination server and ensure it remains protected from unauthorized access.

Step 4: Import LAPS Configuration to the Destination Server

On the destination server, use the LAPS UI or PowerShell cmdlets to import the LAPS configuration from the backup file:

1. Open the LAPS UI on the destination server or use the “Update-AdmPwdADSchema” PowerShell cmdlet.
2. Import the LAPS settings, including the extended Active Directory schema attributes, from the backup file or script.
3. Verify that the LAPS configuration on the destination server matches the settings on the source server.

Step 5: Test LAPS Functionality on the Destination Server

After completing the migration, it’s crucial to test LAPS functionality on the destination server:

1. Verify that the local administrator password rotation and management are functioning correctly on domain-joined computers.
2. Monitor the LAPS logs for any errors or warnings related to password updates.
3. Test password retrieval for local administrator accounts to confirm proper access.

Step 6: Update Group Policy and Deploy LAPS Client

Update Group Policy settings to ensure domain-joined computers are using the new LAPS settings from the destination server:

1. Open the Group Policy Management Console (GPMC) on a management computer.
2. Modify the LAPS Group Policy settings to target the new destination server for password retrieval and updates.
3. Ensure that the LAPS client software is deployed and functioning correctly on domain-joined computers.

Conclusion:

Migrating Local Administrator Password Solution (LAPS) from one server to another is a critical process to maintain robust local administrator account security across domain-joined computers. By following this comprehensive guide, you have successfully exported LAPS configurations from the source server, transferred them to the destination server, and updated Group Policy settings for password management. Verifying LAPS functionality on the destination server ensures that local administrator account passwords are securely managed and rotated as intended. With proper execution, the migration process allows for a seamless transfer of LAPS management, contributing to enhanced security and risk mitigation in your network environment.