Local administrator accounts on Windows endpoints are a necessary evil—but they pose a huge security risk if managed improperly. If the same password is reused across machines, a single compromised system can open the door to lateral movement and privilege escalation.
Enter LAPS—Microsoft’s Local Administrator Password Solution. It provides a secure, automated way to manage and randomize local admin passwords across your domain-joined machines, storing each unique password securely in Active Directory.
In this article, you’ll learn what LAPS is, why it’s essential in modern Windows environments, and how to deploy it correctly using Group Policy and AD schema extensions.
What is LAPS?
LAPS is a free security feature from Microsoft that:
- Randomizes local administrator passwords per machine.
- Rotates them regularly based on policy.
- Stores each password in Active Directory.
- Grants read access to only authorized users or groups.
The result? Even if one machine is compromised, the attacker can’t reuse that password elsewhere—and you can still access the system without relying on shared credentials.
Why Use LAPS?
| Benefit | Description |
|---|---|
| Improved Security | No more reused passwords across endpoints |
| Auditable Access | Passwords stored in AD with clear access control |
| Automated Rotation | Prevents stale credentials and improves hygiene |
| No Agent Required | Uses Group Policy and built-in tools |
| Integrates with Helpdesk | Password retrieval can be scripted or queried securely |
LAPS Requirements
- Active Directory environment
- Windows 10/11 and Server 2016+
- Admin rights to modify Group Policy
- AD schema extension privileges (if setting up for the first time)
Note: LAPS is now built into Windows (as of April 2023+), but you can still use the legacy LAPS (via MSI installer) if needed.
Step-by-Step: How to Set Up LAPS
Step 1: Extend Active Directory Schema (Legacy LAPS)
Run this once per forest:
Import-Module AdmPwd.PS
Update-AdmPwdADSchema
This adds two attributes to the computer object in AD:
ms-Mcs-AdmPwd— stores the passwordms-Mcs-AdmPwdExpirationTime— expiration timestamp
Step 2: Delegate Permissions
Allow helpdesk or IT admins to read local passwords:
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Workstations" -AllowedPrincipals "HelpdeskGroup"
Allow computers to write their password:
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Workstations"
Step 3: Install LAPS Group Policy Templates
- Copy
AdmPwd.admxandAdmPwd.admlto your policy definitions folder (C:\Windows\PolicyDefinitions) - Open Group Policy Management
- Navigate to:
Computer Configuration > Administrative Templates > LAPS
Enable the following:
- Enable local admin password management
- Password Settings (length, complexity)
- Name of administrator account to manage
Step 4: Apply GPO and Force Update
Link the GPO to the appropriate OU. Then run:
gpupdate /force
Verify LAPS is functioning:
Get-AdmPwdPassword -ComputerName PC-01
This should output the current local admin password securely stored in AD.
Optional: Use PowerShell to Retrieve Passwords
Import-Module AdmPwd.PS
Get-AdmPwdPassword -ComputerName PC-01
You can build internal tools to expose these securely to helpdesk teams or service desks with proper RBAC.
Common LAPS Policies and Configs
| Policy | Recommendation |
|---|---|
| Password length | 14–20 characters |
| Complexity | Enabled |
| Rotation interval | 30 days or shorter |
| Admin account name | Rename default (avoid “Administrator”) |
| Password retrieval | Log access events for auditing |
Security Considerations
- Monitor which users have read access to LAPS passwords.
- Use RBAC (Role-Based Access Control) and logs to detect misuse.
- Never expose passwords in plain text or unsecured tools.
- Consider scripting password retrieval in secure tools like ServiceNow or Power Apps.
Troubleshooting Tips
| Issue | Solution |
|---|---|
| Password not rotating | Check if GPO is applied and computer has write permission |
| Can’t retrieve password | Verify AD permissions and schema status |
| GPO not visible | Ensure ADMX templates are properly installed |
| Password shows as blank | Attribute might be protected or inaccessible by your account |
Conclusion
LAPS is one of the most underrated security tools in the Windows ecosystem. It enforces password hygiene, prevents lateral movement, and gives IT admins a secure, auditable way to manage local accounts. If you’re still using the same local admin password across systems, it’s time to make the switch to LAPS and secure your domain endpoints properly.
