<\/a>Step 1: Share/Permissions required<\/h3>\n
Advertisement
You will need a share folder with read, write, modify and execute for the scripts to run under whatever particular user/group you choose.<\/p>\n
Advertisement
Ability to manage group policy.<\/p>\n
The person running these scripts will require local admin for each machine and domain read permissions for ms-Mcs-AdmPwd attribute.<\/p>\n
Delegatable with<\/p>\n
Set-admPwdReadPasswordPermission -allowedprincipals \"groupname\"\n<\/code><\/pre>\n<\/div>\n\n<\/a>Step 2: Group Policy Setup<\/h3>\n4 options are available to change within group policy. This should be done first.<\/p>\n
Computer > Policies > Administrative Templates > LAPs<\/p>\n
\n- Password settings (length and age)<\/li>\n
- Name of administrator if you aren’t using the default administrator for local admin<\/li>\n
- do not allow password expiration longer than required<\/li>\n
- Enable local admin password management<\/li>\n<\/ul>\n
Enable all and configure all to your needs within the expected OUs. Allow time for this to propagate.<\/p>\n<\/div>\n
\n<\/a>Step 3: Powershell Getting the useful information<\/h3>\nIn this part we will grab all of the computers of the chosen OU for the ability to roll out in smaller chunks. Verify if they have already had LAPs enabled and verify if they are currently online. Output to a text file readable by CMD all computers that are currently online and do not have LAPs updated in the computer attribute.<\/p>\n
Also, it gives some feedback so you don’t feel like you’re sitting around and hoping it’s working.<\/p>\n<\/div>\n
\n<\/a>Step 4: Powershell Code Generified<\/h3>\n$OutputFile = \"\\\\your\\file\\location\\machine.txt\"\n$list = (Get-ADComputer -Filter * -SearchBase “OU=workplace,DC=contoso,DC=org”)\n$NeedLaps = @()\n$FinalOutput = @()\n\nforeach($name in $list){\n\n if((Get-AdmPwdPassword -ComputerName $name).password -eq $null){\n\n $NeedLaps += $name.Name\n\n }\n \n \n}\necho \"Testing Connectivity\"\nforeach($computer in $NeedLaps){\n \n if((Test-Connection $computer -Count 1 -Quiet) -eq $true){\n $computer\n $FinalOutput += $computer\n\n }\n\n}\n\n\n$FinalOutput | Out-File -encoding ASCII $OutputFile \n<\/code><\/pre>\n<\/div>\n
Set-admPwdReadPasswordPermission -allowedprincipals \"groupname\"\n<\/code><\/pre>\n<\/div>\n\n<\/a>Step 2: Group Policy Setup<\/h3>\n4 options are available to change within group policy. This should be done first.<\/p>\n
Computer > Policies > Administrative Templates > LAPs<\/p>\n
\n- Password settings (length and age)<\/li>\n
- Name of administrator if you aren’t using the default administrator for local admin<\/li>\n
- do not allow password expiration longer than required<\/li>\n
- Enable local admin password management<\/li>\n<\/ul>\n
Enable all and configure all to your needs within the expected OUs. Allow time for this to propagate.<\/p>\n<\/div>\n
\n<\/a>Step 3: Powershell Getting the useful information<\/h3>\nIn this part we will grab all of the computers of the chosen OU for the ability to roll out in smaller chunks. Verify if they have already had LAPs enabled and verify if they are currently online. Output to a text file readable by CMD all computers that are currently online and do not have LAPs updated in the computer attribute.<\/p>\n
Also, it gives some feedback so you don’t feel like you’re sitting around and hoping it’s working.<\/p>\n<\/div>\n
\n<\/a>Step 4: Powershell Code Generified<\/h3>\n$OutputFile = \"\\\\your\\file\\location\\machine.txt\"\n$list = (Get-ADComputer -Filter * -SearchBase “OU=workplace,DC=contoso,DC=org”)\n$NeedLaps = @()\n$FinalOutput = @()\n\nforeach($name in $list){\n\n if((Get-AdmPwdPassword -ComputerName $name).password -eq $null){\n\n $NeedLaps += $name.Name\n\n }\n \n \n}\necho \"Testing Connectivity\"\nforeach($computer in $NeedLaps){\n \n if((Test-Connection $computer -Count 1 -Quiet) -eq $true){\n $computer\n $FinalOutput += $computer\n\n }\n\n}\n\n\n$FinalOutput | Out-File -encoding ASCII $OutputFile \n<\/code><\/pre>\n<\/div>\n