How to Set Up Windows Server 2016 LAPS Local Administrator Password Solution

The Local Administrator Password Solution (LAPS) solves one of the most common lateral movement problems in Windows environments: all domain-joined computers sharing the same local administrator password. When every machine has the same local admin credentials, a single compromised system can be used to access every other machine through pass-the-hash or direct credential use. LAPS automatically manages and rotates the local Administrator password on each domain-joined computer, storing it securely in Active Directory.

How LAPS Works

LAPS uses a Group Policy Client Side Extension (CSE) installed on each managed computer. The CSE periodically checks the current password’s age and, when it expires, generates a new random password, sets it on the local Administrator account, and stores the encrypted password as an attribute on the computer object in Active Directory. Authorized users or groups can read the password from AD.

Step 1: Download and Install LAPS

Download LAPS from Microsoft (LAPS.x64.msi). Install it on a management workstation with the management tools and the AdmPwd.PS PowerShell module:

msiexec /i LAPS.x64.msi ADDLOCAL=Management.UI,Management.PS,Management.ADMX /quiet

On managed computers, install only the CSE component:

msiexec /i LAPS.x64.msi /quiet

Step 2: Extend the Active Directory Schema

LAPS adds two new attributes to computer objects. Extend the schema from a machine with Schema Admin rights:

Import-Module AdmPwd.PS
Update-AdmPwdADSchema

Verify the new attributes exist:

Get-ADObject -SearchBase "CN=Schema,CN=Configuration,DC=corp,DC=local" -Filter {name -like "ms-Mcs-Adm*"} | Select-Object Name

Step 3: Configure AD Permissions

By default, computers can write their own password to AD but cannot read it. Configure permissions on the OU containing managed computers:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=ManagedComputers,DC=corp,DC=local"

Grant a group (e.g., HelpDesk) the ability to read passwords:

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=ManagedComputers,DC=corp,DC=local" -AllowedPrincipals "CORPHelpDesk"

Grant a group the ability to force a password reset:

Set-AdmPwdResetPasswordPermission -OrgUnit "OU=ManagedComputers,DC=corp,DC=local" -AllowedPrincipals "CORPHelpDesk","CORPDesktop-Admins"

Step 4: Verify Permissions

Find-AdmPwdExtendedRights -Identity "OU=ManagedComputers,DC=corp,DC=local" | Format-Table ExtendedRightHolders, Identity

Step 5: Deploy LAPS via Group Policy

Create a new GPO and configure LAPS settings. After installing the management tools, LAPS ADMX templates are available in the policy editor at:

Computer Configuration > Administrative Templates > LAPS

Configure the following settings:

  • “Enable local admin password management” — Enabled
  • “Password Settings” — Complexity: Large letters + small letters + numbers + special characters, Length: 14, Age: 30 days
  • “Name of administrator account to manage” — Leave blank to manage the built-in Administrator (SID S-1-5-21-*-500)
  • “Do not allow password expiration time longer than required by policy” — Enabled

Configure via registry for testing:

$lapsKey = "HKLM:SOFTWAREPoliciesMicrosoft ServicesAdmPwd"
New-Item -Path $lapsKey -Force | Out-Null
Set-ItemProperty -Path $lapsKey -Name "AdmPwdEnabled" -Value 1 -Type DWord
Set-ItemProperty -Path $lapsKey -Name "PasswordComplexity" -Value 4 -Type DWord
Set-ItemProperty -Path $lapsKey -Name "PasswordLength" -Value 14 -Type DWord
Set-ItemProperty -Path $lapsKey -Name "PasswordAgeDays" -Value 30 -Type DWord

Step 6: Retrieve a Managed Computer’s Password

From a machine with read permissions:

Get-AdmPwdPassword -ComputerName "Workstation01" | Select-Object ComputerName, Password, ExpirationTimestamp

Or using standard AD PowerShell:

Get-ADComputer -Identity "Workstation01" -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime | Select-Object Name, "ms-Mcs-AdmPwd", "ms-Mcs-AdmPwdExpirationTime"

Step 7: Force an Immediate Password Reset

Reset-AdmPwdPassword -ComputerName "Workstation01"

This sets the expiration time to a past date. The next Group Policy refresh on the computer will trigger an immediate password rotation.

Summary

LAPS eliminates the shared local administrator password problem at the core of many lateral movement attacks. By uniquely randomizing and rotating the local admin password on every managed computer and storing it securely in Active Directory with RBAC-controlled access, LAPS significantly limits an attacker’s ability to move laterally even after compromising a single endpoint. It is a foundational security control that every Active Directory environment should deploy.