LAPS: Part 2 Installation/Configuration

This is part two of a series about Microsoft LAPS. For part one, go here: LAPS: Part 1 – Introduction – (

In this part, we will go over the installation and configuration of LAPS. We extend the AD Schema to support LAPS, then we will import the Group Policy ADMX file and go over the settings. Finally, we will register the required DLL on a client machine.

To start, install the LAPS MSI with these options:


AD Schema

I recommend preforming this operation from a domain controller.

The AD Schema is extended via the PowerShell module. You must be in the schema admin group to extend the AD schema. First, open PowerShell and load the module:


Next, run the schema extension cmdlet. Make sure that you have schema manager installed (it’s part the AD LDS tools and snap-ins).


Now you have your attributes required for LAPS.

GPO Template

If you have not done so, copy the ADMX and ADML file to PolicyDefinitions folder for your domain. This will allow the GPOs to be modified from any machine with the GPO editor. You’re looking for the files AdmPwd.admx and AdmPwd.adml.

Once imported, the GPO settings are at Computer Configuration > Administrative Templates > LAPS. There are four settings:


For LAPS to work, you need to configure “Password Settings”, “Do not allow password expiration time longer than required by policy”, and “Enable local admin password management”. The fourth setting, “Name of administrator account to manage”, is totally up to you. If you enable this setting, you can use an account different then the local administrator account. More on this later.

For the password settings policy, set it to your organizations password policy. It should not be less secure then your default domain password policy. The “Password age in days” setting defines how often the password is changed.

The “Do not allow password expiration time longer than required by policy” setting should be enabled. Enabling this setting will keep passwords in line with your default domain policy.

Finally, you must enable “Enable local admin password management” for LAPS to take over password management.

“Name of administrator account to manage” Policy

One thing to consider when using this policy – if you simply rename the default administrator account and use that, do NOT configure this policy. The system detects this account based on the well-known administrator SID, not the name. If you rename the local administrator account, the SID does not change.

Enable LAPS on Clients

You have two options for the last step to enabling LAPS on clients. First, you can install the LAPS client MSI on machine with the AdmPwd GPO Extension option. This creates an entry in Programs and Features that could allow a user with administrator rights to actually uninstall it. The second option is to install the AdmPwd GPO Extension on one computer and copy the “AdmPwd.dll” file to all machines and register the dll. This file can be found in %ProgramFiles%\LAPS\CSE I recommend this option. This dll is installed with the client MSI. To register the dll, run this command:

regsvr32.exe AdmPwd.dll

Once the dll is registered, the GPO will take over and begin managing the password.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.