How to Install and Configure Microsoft LAPS (Local Administrator Password Solution)

 

📌 Introduction

Microsoft Local Administrator Password Solution (LAPS) is a free tool that enhances security by automatically managing local administrator passwords on domain-joined computers. This guide will walk you through the installation and configuration of LAPS in a step-by-step manner.

🔍 Prerequisites

Before you begin, ensure you have the following:

✅ Active Directory configured
✅ Domain Admin or equivalent privileges
✅ Windows Server with Group Policy Management
✅ Windows Clients (Windows 10/11) joined to the domain

📥 Step 1: Download and Install LAPS

1️⃣ Download LAPS from the official Microsoft Download Center:
👉 https://www.microsoft.com/en-us/download/details.aspx?id=46899

2️⃣ Run the LAPS.x64.msi installer on your Domain Controller (DC) and client machines.

3️⃣ On the Installation Wizard, select:

• ✅ AdmPwd GPO Extension

• ✅ PowerShell Module

• ✅ Management Tools

4️⃣ Click Install and wait for the process to complete.

🔗 Step 2: Extend Active Directory Schema

To store the LAPS-managed passwords, you need to extend the AD schema.

1️⃣ Open PowerShell as Administrator on your Domain Controller.

2️⃣ Run the following command:

Import-Module AdmPwd.PS
Update-AdmPwdADSchema

3️⃣ If successful, you’ll see no error messages.

🎛️ Step 3: Set Permissions in Active Directory

Now, grant computers permission to update their password attributes.

1️⃣ Run this command in PowerShell:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,DC=yourdomain,DC=com"

🔹 Replace OU=Computers,DC=yourdomain,DC=com with your actual Organizational Unit (OU) path.

2️⃣ Grant read permission for IT admins to retrieve passwords:

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Computers,DC=yourdomain,DC=com" -AllowedPrincipals "ITAdmins"

3️⃣ Ensure only necessary users can reset passwords:

Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Computers,DC=yourdomain,DC=com" -AllowedPrincipals "ITAdmins"

✅ Done! Now, the computers in the OU can update their local administrator passwords securely.

🎛️ Step 4: Configure LAPS Group Policy

1️⃣ Open Group Policy Management (gpmc.msc).

2️⃣ Navigate to Computer Configuration > Administrative Templates > LAPS.

3️⃣ Enable the following policies:

• Enable local admin password management → Set to Enabled ✅

• Password Settings → Configure password complexity, length, and expiration ✅

• Name of administrator account to manage (if you use a custom local admin name) ✅

4️⃣ Link the policy to the OU where the computers are located.

🔎 Step 5: Verify LAPS Deployment

1️⃣ Force Group Policy Update:

gpupdate /force

2️⃣ On a domain-joined PC, run:

Get-AdmPwdPassword -ComputerName PC-01 -Credential (Get-Credential)

🔹 This will show the stored local admin password for that computer.

✅ Success! Your LAPS deployment is now active.

🎯 Conclusion

You’ve successfully installed and configured Microsoft LAPS! 🏆 This enhances security by ensuring each machine has a unique, automatically updated local administrator password.

📢 Next Steps:

• ✅ Monitor password changes using PowerShell

• ✅ Train your IT team on LAPS password retrieval

• ✅ Consider Windows LAPS (Newer Version) for enhanced security features

💬 Need help? Drop your questions in the comments! 🚀