In order to start managing the clients local Administrator password, you will need to deploy a Group Policy to these systems. This will allow you to establish your local password policy focusing on password complexity, length and age.
Group Policy Object Example Setup
1. Create a new Group Policy object and provide appropriate nomenclature
2. Link it to the target parent Organizational Unit(s)
3. Change the Security Filtering by removing Authenticated Users and replacing with Domain Computers
4. Right click on the GPO name under the Group Policy Objects
5. Select GPO Status
6. Select User Configuration Settings Disabled
7. Under Settings tab for the Group Policy object
8. Right click and select Edit…
9. Select Computer Configuration
10. Select Policies
11. Select Administrative Templates
12. Select LAPS
LAPS Policy Settings
When you configure your GPO for LAPS, these are the settings that will require your attention.
Establish password complexity, length, and age for the policy. This should be enabled and the settings match your Information Security guidelines for passwords.
Setting Default Value
Password Complexity Large letters + small letters + numbers + specials
Password Length 14
Password Age (Days) 30
Name of administrator account to manage
This setting is only used when a custom local administrator account is being used. This should be disabled unless a non-standard local administrator account is being used.
Do not allow password expiration time longer than required by policy
When you enable this setting, planned password expiration longer than password age dictated by “Password Settings” policy is not allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. This policy should be enabled to ensure the password age defined in the Password Settings policy.
Enable local admin password management
Enables management of password for local administrator account. This must be enabled for LAPS to manage the local administrator password. To prevent LAPS from managing the local administrator password, set this to disabled.