Configure Windows LAPSConfigure Windows LAPS

Last Updated on June 14, 2023 by Arnav Sharma

If you’re in charge of managing a Windows environment, you know how important it is to keep your systems secure. One of the keys to maintaining security is proper management of local administrator passwords. Microsoft has developed a solution for this problem called Windows LAPS (Local Administrator Password Solution), which provides a secure way to manage passwords for local administrator accounts on Windows computers. In this article, we’ll explore what LAPS is, how it works, and how you can configure it for your environment.

What is Windows LAPS?

Windows LAPS is a free Microsoft tool that provides a secure method of managing local administrator account passwords on domain-joined Windows computers. The tool generates a unique password for each computer’s local administrator account and stores it in Active Directory. With LAPS in place, an administrator can change the password for all local administrator accounts across their organization with just a few clicks.

How does LAPS work?

When LAPS is installed on a domain-joined Windows computer, it generates a random password for the local administrator account. This password is stored in Active Directory and is secure because only authorized administrators can access it. The password is changed at regular intervals, according to a schedule set by the administrator, to ensure that it remains secure.

What are the benefits of using LAPS on Windows?

Using LAPS provides numerous benefits for organizations. Firstly, it eliminates the need for IT administrators to manually manage local administrator passwords. Instead, passwords are generated and changed automatically, and password management becomes a largely automated process. Secondly, LAPS provides a secure way to store passwords because they are encrypted and stored in Active Directory. This approach provides a higher level of security than the traditional method of manually managing local passwords, which can lead to weak or compromised passwords. Finally, because LAPS is a free Microsoft tool, it can be readily implemented without the need for additional investment by the organization.

What are the risks of not using LAPS?

If an organization does not have a secure method for managing local administrator account passwords, and these passwords are not changed on a regular basis, it’s easy for attackers to escalate their privileges and take control of a large number of systems. This type of attack is known as a “Pass-the-Hash” attack and can result in widespread damage to an organization’s systems and reputation. LAPS helps prevent this type of attack by ensuring that local administrator account passwords are regularly changed and properly secured.

How to Configure Windows LAPS?

What are the system requirements for LAPS?

Windows LAPS can be installed on Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. An Active Directory (AD) domain is required to deploy LAPS, and your domain functional level must be set to Windows Server 2003 or higher.

How to install and configure LAPS?

The following steps are required to install and configure LAPS:

  1. Download and install the LAPS MSI file on the domain-joined Windows computers you want to manage.
  2. Configure Group Policy settings to enable LAPS and set parameters such as password length, complexity, and expiration.
  3. Extend the Active Directory schema to include the LAPS attribute.
  4. Delegate Active Directory permissions to specified administrators to manage LAPS passwords.

How to use the LAPS UI for password management?

To use the LAPS UI, an administrator can open the Active Directory Users and Computers (ADUC) console, right-click on a computer object, and select “Reset Local Administrator Password.” This action will trigger LAPS to generate and apply a new password to the local administrator account on the computer.

How LAPS Can Help You Secure Your Passwords?

What is the difference between LAPS and Legacy LAPS?

LAPS has replaced the legacy Microsoft LAPS software, which was released in 2015. The new version of LAPS now includes a number of features that the original lacked, including password encryption, enhanced security, and support for Azure AD and Intune.

How to use LAPS with Intune and Azure AD?

LAPS can be used in conjunction with Azure AD and Intune to manage local administrator account passwords on devices that are not domain joined. LAPS settings can be configured from the Intune portal and applied to devices via the Intune client.

What policies can be set using LAPS?

LAPS can be used to set various policies for local administrator accounts, including password expiration, password length, and password complexity. Administrators can use Group Policy Objects (GPOs) to configure these policies and ensure that they are consistently applied across their organization.

Best Practices for Local Administrator Password Management

What are some best practices for LAPS?

Some best practices for LAPS include:

  • Ensure that LAPS is installed on all domain-joined Windows machines.
  • Set strong password policies and ensure that passwords are rotated on a regular basis.
  • Assign LAPS management permissions to a dedicated security group to limit the number of people who can manage passwords.
  • Monitor LAPS activities and check logs regularly to detect any suspicious activity.

How to create a LAPS policy?

Creating a LAPS policy involves configuring GPO settings for local administrator account passwords. Administrators can set policies for password length, complexity, and expiration, among other configurations. Once the policies are configured, they can be applied to all domain-joined Windows machines via Group Policy.

What are some common issues with LAPS?

Some common issues with LAPS include incorrect permissions, configuration errors, and synchronization issues with Active Directory. Administrators must be sure to follow best practices and carefully monitor the tool’s activity to avoid these issues.


Is Windows LAPS the right solution for your organization?

If your organization uses domain-joined Windows computers, then LAPS is an excellent solution for local administrator account password management. It’s free, secure, and easy to configure, and it can save your IT staff a lot of time and effort. Using LAPS provides organizations with a centralized system for password management, making it less likely that passwords will be mismanaged or forgotten, and this can significantly increase the overall security of your environment.

What are the next steps to implement LAPS?

The next steps to implement LAPS include:

  • Determine which domain-joined Windows machines will need LAPS installed.
  • Download and install the LAPS MSI file on each machine.
  • Configure GPO settings for LAPS.
  • Extend the Active Directory schema to include the LAPS attribute.
  • Delegate Active Directory permissions to specified administrators to manage LAPS passwords.

How can IT admins benefit from using LAPS in their security strategy?

Using LAPS provides IT admins with a centralized platform for managing local administrator account passwords, making it easier to secure passwords and manage access to them. LAPS is free, easy to configure, and integrates with Azure AD and Intune, providing admins with greater flexibility and control over their security strategy. With LAPS in place, admins are better equipped to detect and take action against potential security threats, keeping their organizations safer and more secure.


Frequently asked questions:

Q: What is Windows LAPS?

A: Windows LAPS (Local Administrator Password Solution) is a solution developed by Microsoft that helps organizations secure their IT environment by managing local administrator account passwords. It generates unique, complex passwords for each local administrator account, stores them in Active Directory, and automates password rotation to ensure that they are constantly changing.

Q: What is the difference between Microsoft LAPS and Windows LAPS?

A: They are the same solution, but with different names. Microsoft LAPS was version 6.2 of the solution, while Windows LAPS is version 6.3 and later.

Q: How does Windows LAPS manage local administrator account passwords?

A: Windows LAPS generates a new, unique password for each local administrator account and stores it in Active Directory. It then automates password rotation on a regular basis to ensure that passwords are constantly changing and thus more secure.

Q: Can Windows LAPS be used with Azure AD?

A: Yes, Windows LAPS can be used with Azure Active Directory. However, Azure AD does not have the same level of integration for LAPS as on-premises Active Directory, so managing passwords may be more difficult.

Q: Can Windows LAPS be managed by Microsoft Intune?

A: Yes, Windows LAPS can be managed by Microsoft Intune. Intune can be used to configure LAPS policies, report on LAPS client configurations, and retrieve local administrator account passwords.

Q: What is the difference between Windows LAPS and legacy LAPS?

A: Legacy LAPS is the original version of the solution and has been replaced by Windows LAPS. Windows LAPS has more advanced features, such as the ability to manage passwords for multiple domains and forests, while legacy LAPS only supports on-premises Active Directory environments.

Q: How can I install Windows LAPS?

A: Windows LAPS can be installed using Group Policy or PowerShell. Detailed installation instructions can be found in the Microsoft LAPS Deployment Guide.

Q: Can I use Windows LAPS with Windows 10?

A: Yes, Windows LAPS is fully compatible with Windows 10 & 11

Q: What are the benefits of using Windows LAPS?

A: The benefits of using Windows LAPS include increased security by generating unique, complex passwords for local administrator accounts, reducing the risk of credential theft and lateral movement in a network, and automating password rotation to ensure that passwords are frequently changed.

Q: What is the AD schema extension required for using Windows LAPS?

A: An Active Directory schema extension is required to use Windows LAPS. This extension adds two new attributes to the schema to allow LAPS to store and manage passwords for local administrator accounts. The extension can be performed during or after LAPS installation.

keywords: new windows laps, local admin password, admin password, legacy laps policy, password to azure, laps feature, security update, laps product, extend the ad schema, managed by windows

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Toggle Dark Mode