TechIDManager LAPS Installation Instructions

 

Let’s cut straight to the meat….TechIDManager can replace Microsoft LAPS with a solution that works at MSP scale for all windows computers (including non-domain joined, domain joined, and Azure AD joined). LAPS from Microsoft is limited to domains (and more recently AzureAD).  TechIDManager LAPS works on all windows machines; domain, non-domain, workgroup, and Azure AD joined.

TechIDManager’s agent, DomainService, has always provided PAM for unique account management, and now also provides LAPS account password rotation and access management for a shared account.  We do this with the same ZERO-visibility storage that all TechIDManager credentials are stored with.  Install the agent, and it will rotate the “Administrator” password every 24 hours and allow you to choose a set of techs that have access to that password.

“How do I set it up?” you ask….here are the steps.  There is a PowerShell script available too on the download page and we are always willing to help with a White Glove Install, just book installation assistance.

  1. Download the latest DomainService. (version 3.156 or newer)
  2. Copy the zip file the computer to use TechIDManager’s LAPS
    1. In this example the machine name is Desktop-GTBAL2
  3. Extract the zip file to a folder
    1. We recommend “c:\Program Files\Ruffian Software\DomainService”
  4. Run this command line from an administrator command lines on Desktop-GTBAL2 (keep reading below for details on why the command line looks like this).
    cd "c:\Program Files\Ruffian Software\DomainService"
    DomainService.exe installLAPS
    DomainService.exe shareduser Administrator local clientguid xxx
    DomainService.exe start
  5. In the Management Console make sure there is a Triplet that grants the desired techs the “ReadSharedUser” right of type “LAPS LocalMachine” for the agent for TechIDManager’s LAPS which will be named “Desktop-GTBAL2\Administrator” in our example. 
  6. Repeat these steps for any machines you want.

 

“Why does this work?” you ask….alright, now that you know the basics of the installation, let’s talk about why and how this works and what other options you have on the install for DomainService.

Let’s start with these command lines to setup everything.

DomainService.exe installLAPS 
DomainService.exe shareduser Administrator local clientguid xxx
DomainService.exe start

DomainService.exe – The executable to run.

installLAPS – this argument tells the DomainService to install itself as a service, set all the recovery options for the service, and ONLY run the LAPS part of what DomainService can do. If you are using LAPS to control a local account on a machine AND create unique accounts then you should use the command line “install” (and not “installLAPS”).

shareduser Administrator – this argument tells the DomainService to control the account named “Administrator”, and all the rest of the command line options on this command line apply to that instance of DomainService. If you have renamed the built-in Administrator account to something else, such as MSPAdmin, then you replace “Administrator” with the correct name. i.e. shareduser MSPAdmin

local – this part of the command line tells DomainService this is a local account (vs a domain account), and since it comes after “shareduser” is applies to the “Administrator” account. 

clientguid xxx – this part of the command line tells DomainService the clientguid to use replace xxx with your TechIDManager ClientGuid. This can be set instance specific or for all instances of DomainService running on this machine.

start – this part of the command line tells the DomainService to start the RuffianDomainService. This is the same as “net start RuffianDomainService”. 

There are many other options that can be set for each instance of DomainService. 

To set the FriendlyName or RMMName use these command lines:

DomainService.exe shareduser Administrator friendlyname "Jenny's dev machine"
DomainService.exe shareduser Administrator rmmname "867-5309"

With these above command lines, note how we first tell DomainService the command line options apply to the shareduser Administrator instance and then we use the normal syntax for the FriendlyName or RMMName. Any option that can be set can be set instance specific.