Securing Local Administrator Accounts With Microsoft's LAPS: A Step by Step Guide

What is laps

LAPS(Local Administrator Password Solution) is a centralize location to keep the local admin password of that PC. LAPS will randomize the password every few days, what policy you set up for it, or every time you use it. One this is much more secure then having a single password for all of the local administrator. This also always you to have a kinda backdoor into all of your machines.

Setting up laps

1. Download LAPS and run the installer as an administrator.
2. Execute the following PowerShell commands:

Import-Module AdmPwd.PS # import this module
Update-AdmPwdADSchema # updates the Active Directory (AD) schema  to support the Local Administrator Password Solution (LAPS).

3. Grant permissions for the PC to update its own password. Replace “test” with the OU where your PCs are located:

Set-AdmPwdComputerSelfPermission -OrgUnit test

4. Allow specific users to view the LAPS password. In “Active Directory Users and Computers,” add the group “LAPSAdmins.” Again, replace “test” with the OU containing your PCs:

Set-AdmPwdReadPasswordPermission -Identity test -AllowedPrincipals "LAPSAdmins"

5. Copy the LAPS installer from step 1 to a shared folder.

6. Open the Group Policy Management Console.

7. Create a new Group Policy Object (GPO) called LAPS.

8. Open the new LAPS GPO and navigate to Computer Configuration > Policies > Software Settings > Software Installation.

   • Right-click in the Software Installation pane and create a new installation.
   • Select the installer file from \LOCALDOMAINNAME\SYSVOL\LOCALDOMAINNAME\scripts\laps and click OK. Note: Ensure that this is a shared folder; otherwise, the PCs will not be able to access the file.

9. Under Computer Configuration > Policies > Administrative Templates > LAPS, configure the following four LAPS settings:

   • Enable local admin password management
   • Password settings
   • Do not allow password expiration time longer than required
   • Name of administrator account to manage (This setting is not required unless you have renamed the default administrator account)

10. Link the new LAPS GPO to your Workstations OU.

11. On your workstations, run the following command or wait two hours for the changes to take effect:

gpupdate /force 
shutdown /r