Configuration Keys
In order for macOSLAPS to function in your environment, you will need to configure some keys to ensure the password for your local administrator is changed accordingly. In an Active Directory environment you only need to configure the LocalAdminAccount
key the FirstPass
key if your administrator has a secureToken. For the Local method you would need to configure the keys above as well as the Method
key.
In the table below you can see a list of configurable keys and what they do.
Key | Type | Description | Default Value | Other Value(s) |
---|---|---|---|---|
LocalAdminAccount | String | The shortname of the administrator account you would like to manage | admin | lapsadmin |
DaysTillExpiration | Integer | The amount of days to wait until the password is considered expired | 60 | 30 |
PasswordLength | Integer | How many characters the randomly generated password should be | 12 | 30 |
PasswordGrouping | Integer | How many characters you want in each group before the separator | 0 | 8 |
PasswordSeparator | String | What Password separtor you would like to use. | - | , [ |
RemoveKeyChain | Boolean | Remove the local admin keychains after password change | True | False |
RemovePassChars | String | Exclude any characters you'd like from the randomly generated password | ' | 1lLO0 |
ExclusionSets | Array | Exclude any character set you'd like by specifying a string in an array. | <array><string>symbols</string></array> |
|
PreferredDC | String | Set your preferred Domain Controller to connect to (Useful when you have RODCs) | servername.yourdomain.com | |
FirstPass | String | The password of your administrator currently before macOSLAPS begins. (Useful when your administrator has a secureToken) | ||
Method | String | Which method to use when executing macOSLAPS. | AD | Local |
PasswordRequirements | Dictionary | A dictionary that allows you to specify the password requirements. There are 4 keys Lowercase , Uppercase , Number and Symbol . For each you specify an integer for the amount of each that you would like in your password. |
<key>PasswordRequirements</key><dict><key>Lowercase</key><integer>1</integer><key>Uppercase</key><integer>1</integer><key>Number</key<integer>1</integer><key>Symbol</key><integer>1</integer></dict> |
These keys can be configured with a configuration profile which I would strongly recommend as the preferred method or as a PLIST. macOSLAPS will look in the following places for preferences configured on the system before resorting to default values:
-
/Library/Managed Preferences/edu.psu.macoslaps.plist
(MDM) -
/Library/Preferences/edu.psu.macoslaps.plist
(Locally Configured)
If you are just testing without an MDM the local PLIST can be configured by using the defaults
command to write the values you would like to the PLIST. Here is an example of changing the administrator to LAPSAdmin
:
sudo /usr/bin/defaults write /Library/Preferences/edu.psu.macoslaps LocalAdminAccount LAPSAdmin