Managing Local Admin Passwords with LAPS

How are you managing your local administrator passwords? Are they stored in a spreadsheet on a network share, or worse, is the same password used everywhere?

Microsoft LAPS (Local Administrator Password Solution) could be the answer. LAPS is a lightweight tool that, with a few simple GPO settings, automatically randomizes local administrator passwords across your domain. It ensures each client and server has a unique, securely managed password, removing the need for spreadsheets or manual updates.

Download LAPS from the Microsoft site

Copy the file to the Domain Controller and ensure that the account you are logged on has 'Schema Admin'.

Install only the Management Tools.

As its a DC its optional whether to install the 'Fat Client UI',

Schema updates should always be performed on a DC directly.

Open Powershell and run the following command after seeking approval.

Update-AdmPwdSchema

SELF will need updating on the OU's for your workstations and servers.

Add SELF as the Security Principal.

Select 'Write ms-Mcs-AdmPwd

Now change the GPO settings on the OU's.

The default is 14 characters but I would go higher and set above 20.

Install LAPS on a client and select only the AdmPwd GPO Extension

On the Domain Controller open the LAPS UI and search and Set a client.

Once the password has reset open the properties of the client and check the ms-Mcs-AdmPwd for the new password. Now every 30 days the local Admin password will be automatically updated and unique.

Deploy the client with ConfigMgr to remaining estate.

By default Domain Admin have access to read the password attribute and this can be delegated to a Security Group. AND.....this is the warning.....Any delegated privileges that allow delegated Computer management and the 'Extended Attributes' can also read the 'ms-MCS-AdmPwd'.