Local Admin Passwords

What do you do with your local administrator passwords? Spreadsheet on a share or are the passwords the same or are they disabled???

LAPS from Microsoft maybe the answer. Its a small program and some GPO settings, I'll cover the other bits in a moment, don't want to scare you off. Its not that bad

Firstly download LAPS from the Microsoft site

Copy the file to the Domain Controller and ensure that the account you are logged on with has 'Schema Admin'.

Install only the Management Tools.

As its a DC you wish not to install the 'Fat Client UI', but as its a Schema update I would always perform these on a DC directly for those just in case of moments.

Open Powershell and run the following command after seeking approval.


SELF will need updating on the OU's for your workstations and servers.

Add SELF as the Security Principal

Select 'Write ms-Mcs-AdmPwd

Now change the GPO settings on the OU's

The default is 14 characters but I would go higher and set above 20

Install LAPS on a client and select only the AdmPwd GPO Extension

On the Domain Controller open the LAPS UI and search and Set a client.

Once the password has reset open the properties of the client and check the ms-Mcs-AdmPwd for the new password of the client. Now every 30 days the local Admin password will be updated and unique.

Deploy the client with ConfigMgr to remaining estate

By default Domain Admin have access to read the password attribute and this can be delegated to a Security Group.

9 views0 comments