Local Administrator Password Solution (LAPS): Part 1 – Introduction

This will be the first part of a series about the LAPS product from Microsoft. LAPS stands for Local Administrator Password Solution. Once implemented, this product will change the local administrator password on all of your domain-joined machines to a random password. It stores this password as an attribute of the computer object.

This solution is designed for technical staff. It makes it unnecessary for them to log in to machines with their own account to perform administrative functions. This greatly reduces the risk of pass-the-hash or pass-the-password security breaches. With this solution, you no longer need a group of accounts for technical support to be administrators on our workstations.


Essentially, this solution manages the local administrator account. It does not have to be account 500 – it can be one that you designate. This solution will change the password on that account at an interval that you specify using complexity requirements that you also specify.

The AD attribute is stored in plain text, which could be a concern. You can, however, protect the attribute and only allow certain users to view it. The password is viewable as an attribute of the computer object from Active Directory Users and Computers, from PowerShell, or from a fat client that can be installed on tech workstations.

How Does LAPS Work?

LAPS works using Group Policy and a dll on your workstations. The download contains an MSI that you install on your management computers. This MSI contains the Group Policy ADMX and ADML files, the fat client, and the PowerShell module. This MSI can be installed on a central server, or on your technical staff computers. It by no means requires a management server. It is just a method to get the required dll and PowerShell module.

The schema on your Active Directory is extended to include two attributes – one for the password and one for the timestamp of when the password will expire. The schema is extended by running a cmdlet from the PowerShell module. The new attributes are ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.

Next, you can either install the same MSI on client machines, just with different options, or you can copy and register a dll on client machines. I prefer the dll, because it does not register a program in Programs and Features. This dll can be registered using ConfigMgr (or like desktop management software) or by executing a script from Group Policy.

You can download LAPS here: https://microsoft.com/en-us/download/details.aspx?id=46899.

Come back soon for more on LAPS.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.