How to Setup Windows LAPS Step by Step

Windows LAPS is a powerful, and now easy-to-set-up, local administrator password management solution that has great security benefits. Windows LAPS stores local administrator passwords for specific or all devices joined to your directory inside your directory (whether that be local or Azure Active Directory), these passwords will have a strict expiration and rotation time, which will aid to prevent takeover and lateral movement during attacks. This can drastically increase security in scenarios such as when working with remote helpdesk agents.

Windows LAPS is integrated directly into the latest operating systems, making it quick and easy for administrators to deploy across an organisation.

In this tutorial, I am going to show you how to deploy Windows LAPS to your Active Directory joined devices step by step.

What is Windows LAPS?

Windows LAPS is the successor to Microsofts older solution, Microsoft LAPS. LAPS stands for Local Administrator Password Solution and that is exactly what it does. Windows LAPS is a new Windows feature that enables you to manage a local administrator account password from the local Active Directory or Azure Active Directory. 

LAPS can be used to backup and manage the local administrator account passwords in some different scenarios:

  • Back up local admin passwords for devices joined to a local Active Directory, to local Active Directory.
  • Back up local admin passwords for devices joined to Azure Active Directory, to Azure Active Directory.
  • Backup DSRM passwords for Windows Server Domain Controllers to local Active Directory.

Need to knows!

Your Windows LAPS deployment settings are dependent on how your devices are managed! If your devices are only joined to the local Active Directory, then you only backup the passwords to the local Active Directory. 

Likewise, if your devices are only joined to Azure Active Directory, then you can only backup your passwords to Azure Active Directory.

However, if your devices are hybrid joined to local Active Directory and Azure Active Directory, they can be backed up to either location, but not to both.

Requirements for Windows LAPS

To use the latest version of Windows LAPS that is built directly into your operating system, you must be running any of the following operating systems:

Client Operating Systems

  • Windows 11 22H2 – April 11 2023 Update
    Windows 11 21H2 – April 11 2023 Update
    Windows 10 – April 11 2023 Update

Windows Server Operating System

  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

There are no additional licensing requirements needed to use Windows LAPS.

How to Setup Windows LAPS Step by Step

1. Start by logging into your domain controller as a domain admin and opening PowerShell.

2. Once PowerShell is open run the following command to update the Active Directory schema. 

Update-LapsAdSchema

You can either enter Y to manually review and approve each schema update, or enter A to automatically approve all updates.

Update-LapsADSchema
Update-LapsADSchema

The following attributes will be added to the schema once you run the update command:

  • msLAPS-PasswordExpirationTime
  • msLAPS-Password
  • msLAPS-EncryptedPassword
  • msLAPS-EncryptedPasswordHistory
  • msLAPS-EncryptedDSRMPassword
  • msLAPS-EncryptedDSRMPasswordHistory

You can verify that all updates were successful by re-running the command with the -verbose switch.

Update-LapsAdSchema -verbose

You can see from the output that the required attributes are now already present.

Update-LapsADSchema Verbose
Update-LapsADSchema Verbose

3. Next we need to ensure that the managed device we want to configure LAPS on has the correct permission to update its own password, which it does by updating the relevant msLAPS- attributes on the computer object. At this point, the attributes will show as blank:

Windows LAPS attributes

Run the following command against the unique name of the highest level OU that contains your computers OU. For example, I will run this against my ourcloudnetwork OU which contains a sub-OU called Computers, which is run and the permissions on the top level OU are inherited down.

Set-LapsADComputerSelfPermission -Identity ourcloudnetwork

You can see that if I try to run this command against an OU name which is not unique the following error will occur:

Set-LapsADComputerSelfPermission : Found more than one result 2 for the ‘computers’ OU in AD

Set-LapsAdComputerSelfPermission Error
Set-LapsAdComputerSelfPermission Error

3. You now need to ensure the necessary users are able to read the LAPS password in Active Directory. Use the Set-LapsADReadPasswordPermission cmdlet to grant specific groups permission to read the LAPS passwords for the desired OU.

For example, below I am granting the Workstation Admins security group permission to read the LAPS passwords for computers within the ourcloudnetwork OU.

Set-LapsADReadPasswordPermission -Identity ourcloudnetwork `
-AllowedPrincipals "ourcloudnetwork\Workstation Admins"

There are some similar commands which you can also use to delegate permission in the same fashion, these are:

  • Set-LapsADPasswordExpirationTime – Grants a specific group of users permission to update the LAPS password expiration time in AD
  • Set-LapsADResetPasswordPermission – Grants a specific group of user permission to manually reset the LAPS password in AD.

You can use the Find-LapsADExetendedRights command to check the current permissions on a specific OU.

Find-LapsADExtendedRights
Find-LapsADExtendedRights

4. Now we can deploy the LAPS configuration to our target devices via local group policy. Start by creating a new GPO and linking it to your target computer’s OU. 

LAPS Group Policy Object
LAPS Group Policy Object

5. Edit the policy and find the LAPS Settings located at Computer Configuration > Administrative Templates > System > LAPS. At a bare minimum, you need to enable the Configure password backup directory to back up the password to Active Directory.

Configure password backup directory LAPS
Configure password backup directory LAPS

You can see there are a couple of options, but without this setting enabled you are effectively disabling your LAPS policy.

6. You need to decide on the local account to be managed with LAPS. LAPS will not create the local admin account for you, you need to ensure it is present on the managed devices for LAPS to update its password, whether that be the built-in Administrator account (not recommended) or a custom user account (recommended).

There are many ways to create a new local user account and add it to the local Administrators group, although I will not cover specifics in this post, some options include:

  • Group Policy Preferences
  • Net Logon Script
  • Group Policy Script
  • Intune
  • Manually
  • Remote PowerShell script
  • 3rd Party RMM Tools

7. Once you have decided which account to use, configure the Name of administrator account to manage setting.

Name of administrator account to manage

The final two settings to configure are:

  • Password settings
  • Do not allow password expiration time longer than the required policy
LAPS password settings
LAPS password settings

The Password settings setting allows you to define the password complexity, password age and password length. The Do not allow password expiration time longer than the require policy setting ensures that if an administrator tried to set the password to expire longer than the define policy, it will not take affect. For example, if I set the password settings as the below, then if a user tries to set the password expiration at 5 days, it will default to 1 day.

LAPS detailed password settings
LAPS detailed password settings

8. You have now configured LAPS! Restart the end-user device, ensuring it is on the domain network and it will take effect.

How to retrieve LAPS password with the GUI

To retrieve the Windows LAPS password for a computer you can do so directly through Active Directory Users and Computers.

1. Open ADUC and double-click on the computer account you want to retrieve the password for.

2. Select the LAPS tab, then select Show password.

Show LAPS password GUI
Show LAPS password GUI

How to retrieve LAPS password with PowerShell

A simpler solution for some may be to use PowerShell to retrieve a computer’s LAPS password. 

1. Start by opening PowerShell.

2. Run the following command and specify your target desktop name.

Get-LapsADPAssword %targetDesktop% -AsPlainText

Your output will look like the below:

Show LAPS password Powershell
Show LAPS password Powershell

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 4 Comments

  1. Miles

    Great article – thank you! I have installed and used LAPS in the past but had never set it up here. I followed the steps above and have run gpupdate, etc. But, my computer accounts are not setting the password value.

  2. Miles

    Nevermind. It took awhile but is now working…

  3. Michael

    So i was following your guide and got all the way to the part of creating a GPO and when i open my GPMC and drill down to SYSTEM, LAPS is not there

  4. Michael

    figured it out, this can be ignored. would like to see an update to this aticle however and show how to set this up in Endpoint Manage\Intune

Leave a Reply