v2.1
Powered by

# LAPS (Local Administrator Password Solution)

By
Brian Johnson

Local Administrator Password Solution (LAPS) "is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it."

# Quick install

  1. Create new GPO in Group Policy Objects called (for example) LAPS-workstations
  2. Go to Computer Configuration > Policies > Administrative Templates > System > LAPS
  3. Edit the following settings:
  • Name of administrator account to manage - don't actually configure this setting if you just want to admin the local named Administrator account, but if your company's local admin account is named something like ttadmin then do enable this setting and specify that account.
  • Configure password backup directory - choose Active Directory
  • Password Settings enable it and set the settings you like (super long/strong password, rotated aggressively, etc.)
  • Enable Password Encryption (optional) - turn it on to encrypt passwords going across the wire
  • Configure size of encrypted password history (optional) - and change it to an appropriate number (max 12)
  1. In PowerShell, under the context of an account that's part of Domain Admins and Schema Admins, run:
Update-LapsADSchema -verbose

Answer A for All.

  1. Allow computers in OU(s) to self-reset their LAPS passwords when needed:
Set-LapsADComputerSelfPermission -Identity 'OU=ComputersAndServers,DC=tangent,DC=town'
  1. Run gpoupdate /force on the DC and then reboot LAPS-controlled systems
  2. Use dsa.msc to view/change LAPS passwords in the GUI, or get-lapsadpassword -identity laptop-777 -asplaintext in PowerShell.

# Troubleshooting

If a LAPS-controlled machine isn't picking up a password, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > LAPS > Operational Logs. If you see error 10066, it probably means you need to run the SetLapsADComputerSelfPermission command above.

# Video demo

Here's a Tuesday TOOLSday video we did over at 7MinSec.club about installing LAPS in ~20 minutes: