How to Deploy Microsoft LAPS

< All Topics

Tutorial on how to deploy Microsoft LAPS – Local Administrator Password Solution which provide the following

  • Set a unique randomly generated password for individual machine
  • Automatically change the Local Administrator Password every X Days
  • View Local Administrator from Centralize Location

Install LAPS Management Tools

  1. Download Local Administrator Password Solution (LAPS)
  2. Install only the Management Tools in AD Domain Controller – **Uncheck the AdmPwd GPO Extension

How to Deploy Microsoft LAPS

Extend AD Schema

Extend the AD Schema by adding

  • ms-MCS-AdmPwd – Stores the password in clear text
  • ms-Mcs-AdmPwdExpirationTime – Stores the password expiration time.
Import-Module AdmPwd.PS


Operation            DistinguishedName                                                 Status
---------            -----------------                                                 ------
AddSchemaAttribute   cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=A... Success
AddSchemaAttribute   cn=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=AventisLab,DC=l... Success
ModifySchemaClass    cn=computer,CN=Schema,CN=Configuration,DC=AventisLab,DC=local     Success

Delegate Right to Computer objects

Delegate right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes base on OU

$OU = "OU=UAT,DC=AventisLab,DC=local"
Set-AdmPwdComputerSelfPermission -OrgUnit $OU

Verify that Domain Admins is assigned right to read the password (ms-MCS-AdmPwd) for a specific Organizational Unit (OU)

Find-AdmPwdExtendedRights -identity:$OU | Format-Table ExtendedRightHolders


Deploying LAPS with GPO

Deploy LAPS.x64.msi to computers with Group Policy (GPO)

Group Policy

Configure the policies for LAPS on Computer Configuration – Administrative Template – LAPS

Configure the policies for LAPS with PowerShell


# Do not allow password expiration time longer than required by policy
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "PwdExpirationProtectionEnabled" -Type DWord -Value 00000001

# Enable Local Admin Password Management
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "AdmPwdEnabled" -Type DWord -Value 00000001

# Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "PasswordComplexity" -Type DWord -Value 00000004

#Password Length = 15
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "PasswordLength" -Type DWord -Value 0000000f

#Password Age Days = 30 Days
Set-GPRegistryValue -Name $GPO -key "SOFTWARE\Policies\Microsoft Services\AdmPwd" `
-ValueName "PasswordAgeDays" -Type DWord -Value 0000001e


Reboot the computers located in UAT OU to apply the GPO

Verify the local Administrator password of the computer is configured properly by LAPS

PS C:\> Get-AdmPwdPassword -ComputerName UAT-WIN16

ComputerName         DistinguishedName                             Password           ExpirationTimestamp

------------         -----------------                             --------           -------------------

UAT-WIN16            CN=UAT-WIN16,OU=UAT,DC=AventisLab,DC=local    H./4z+,e4[7$Pa)    4/6/2020 4:50:40 PM

Reference Links

  1. Deploying Microsoft LAPS – Part 1

  2. Deploying Microsoft LAPS – Part 2

Previous How to delegate Password Reset right to User
Next Join Synology NAS to AD Domain
Table of Contents