How to Install and Configure Microsoft LAPS (Local Administrator Password Solution)

 

📌 Introduction

Microsoft Local Administrator Password Solution (LAPS) is a free tool that enhances security by automatically managing local administrator passwords on domain-joined computers. This guide will walk you through the installation and configuration of LAPS in a step-by-step manner.




🔍 Prerequisites

Before you begin, ensure you have the following:

Active Directory configured ✅ Domain Admin or equivalent privileges ✅ Windows Server with Group Policy ManagementWindows Clients (Windows 10/11) joined to the domain


📥 Step 1: Download and Install LAPS

1️⃣ Download LAPS from the official Microsoft Download Center:
👉 https://www.microsoft.com/en-us/download/details.aspx?id=46899

2️⃣ Run the LAPS.x64.msi installer on your Domain Controller (DC) and client machines.

3️⃣ On the Installation Wizard, select:

  • AdmPwd GPO Extension

  • PowerShell Module

  • Management Tools

4️⃣ Click Install and wait for the process to complete.


🔗 Step 2: Extend Active Directory Schema

To store the LAPS-managed passwords, you need to extend the AD schema.

1️⃣ Open PowerShell as Administrator on your Domain Controller.

2️⃣ Run the following command:

Import-Module AdmPwd.PS
Update-AdmPwdADSchema

3️⃣ If successful, you’ll see no error messages.


🎛️ Step 3: Set Permissions in Active Directory

Now, grant computers permission to update their password attributes.

1️⃣ Run this command in PowerShell:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,DC=yourdomain,DC=com"

🔹 Replace OU=Computers,DC=yourdomain,DC=com with your actual Organizational Unit (OU) path.

2️⃣ Grant read permission for IT admins to retrieve passwords:

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Computers,DC=yourdomain,DC=com" -AllowedPrincipals "ITAdmins"

3️⃣ Ensure only necessary users can reset passwords:

Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Computers,DC=yourdomain,DC=com" -AllowedPrincipals "ITAdmins"

Done! Now, the computers in the OU can update their local administrator passwords securely.


🎛️ Step 4: Configure LAPS Group Policy

1️⃣ Open Group Policy Management (gpmc.msc).

2️⃣ Navigate to Computer Configuration > Administrative Templates > LAPS.

3️⃣ Enable the following policies:

  • Enable local admin password management → Set to Enabled

  • Password Settings → Configure password complexity, length, and expiration ✅

  • Name of administrator account to manage (if you use a custom local admin name) ✅

4️⃣ Link the policy to the OU where the computers are located.


🔎 Step 5: Verify LAPS Deployment

1️⃣ Force Group Policy Update:

gpupdate /force

2️⃣ On a domain-joined PC, run:

Get-AdmPwdPassword -ComputerName PC-01 -Credential (Get-Credential)

🔹 This will show the stored local admin password for that computer.

Success! Your LAPS deployment is now active.


🎯 Conclusion

You’ve successfully installed and configured Microsoft LAPS! 🏆 This enhances security by ensuring each machine has a unique, automatically updated local administrator password.

📢 Next Steps:

  • ✅ Monitor password changes using PowerShell

  • ✅ Train your IT team on LAPS password retrieval

  • ✅ Consider Windows LAPS (Newer Version) for enhanced security features

💬 Need help? Drop your questions in the comments! 🚀

Comments

Popular posts from this blog

Drag and Drop Not Working on Windows 11 Taskbar (24H2)

How to Upgrade from Windows 10 to Windows 11 Pro Online Without USB

Windows 11 Installation on HP 15 DWX-3XXX: Challenges and Solutions