How to Set Up LAPS (Local Administrator Password Solution) on Windows Server 2012 R2

How to Set Up LAPS (Local Administrator Password Solution) on Windows Server 2012 R2

The Local Administrator Password Solution (LAPS) solves one of the most persistent security problems in Windows environments: the use of identical local administrator passwords across all computers. When every machine shares the same local admin password, an attacker who obtains that password through any one compromised machine can use it to move laterally across the entire domain. LAPS provides automatic, random password generation and management for the local Administrator account, storing the password securely in Active Directory and rotating it on a configurable schedule. This guide covers deploying LAPS in a Windows Server 2012 R2 Active Directory environment.

Prerequisites

LAPS requires Active Directory Domain Services with at least Windows Server 2003 schema level. The LAPS MSI installer must be downloaded from the Microsoft Download Center (LAPS.x64.msi or LAPS.x86.msi). Schema Admins rights are required to extend the AD schema (a one-time operation). Domain Admins rights are required to configure AD permissions. The LAPS Group Policy template must be installed to configure settings via GPO. LAPS client software must be deployed to all managed computers, which can be done via GPO software deployment, SCCM, or manual installation.

Extending the Active Directory Schema

LAPS adds two new attributes to AD computer objects to store the password and expiration time. Schema extension must be performed once per forest:

# Install the LAPS management tools on the Schema Admin workstation first
# Run the LAPS MSI and select "Management Tools" component
# Then extend the schema:

# Import the LAPS PowerShell module
Import-Module AdmPwd.PS

# Extend the AD schema (requires Schema Admins membership)
Update-AdmPwdADSchema

Verify the schema was extended by checking for the new attributes:

# Verify the two new AD attributes exist
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext `
    -Filter {name -eq "ms-Mcs-AdmPwd"} | Select-Object Name, DistinguishedName

Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext `
    -Filter {name -eq "ms-Mcs-AdmPwdExpirationTime"} | Select-Object Name, DistinguishedName

Configuring Active Directory Permissions

LAPS requires specific AD permissions configured on the computer OUs. Computer accounts need self-write permission to update their own password attributes:

# Grant computers in an OU permission to write their own LAPS password attributes
# Replace "OU=Servers,DC=domain,DC=com" with your actual OU path

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Servers,DC=domain,DC=com"
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Workstations,DC=domain,DC=com"

# Apply recursively to all child OUs
Get-ADOrganizationalUnit -Filter * -SearchBase "OU=Servers,DC=domain,DC=com" | 
    ForEach-Object { Set-AdmPwdComputerSelfPermission -OrgUnit $_.DistinguishedName }

By default, Domain Admins can read the LAPS password. Grant specific helpdesk groups read access while restricting others:

# Grant the "Helpdesk" group permission to read LAPS passwords in the workstation OU
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Workstations,DC=domain,DC=com" `
    -AllowedPrincipals "DOMAINHelpdesk"

# Grant server team read access to server passwords
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Servers,DC=domain,DC=com" `
    -AllowedPrincipals "DOMAINServerTeam"

# Grant specific group permission to force a password reset
Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Workstations,DC=domain,DC=com" `
    -AllowedPrincipals "DOMAINHelpdesk"

Remove unauthorized access — by default all Authenticated Users can read computer attributes, which would expose LAPS passwords. Restrict the ms-Mcs-AdmPwd attribute:

# Find which accounts have read access to LAPS passwords in an OU
Find-AdmPwdExtendedRights -OrgUnit "OU=Servers,DC=domain,DC=com"

# Remove read access from Authenticated Users if present
# This must be done through ADSIEDIT or the AD Users and Computers advanced view
# on the OU, removing the Allow: Read ms-Mcs-AdmPwd permission for Authenticated Users

Installing the LAPS Group Policy Template

Copy the LAPS ADMX templates to the Group Policy Central Store:

# The LAPS MSI installs templates to:
# C:WindowsPolicyDefinitionsAdmPwd.admx
# C:WindowsPolicyDefinitionsen-USAdmPwd.adml

# Copy to the domain's Central Store
Copy-Item "C:WindowsPolicyDefinitionsAdmPwd.admx" `
    "\domain.comSYSVOLdomain.comPoliciesPolicyDefinitions"

Copy-Item "C:WindowsPolicyDefinitionsen-USAdmPwd.adml" `
    "\domain.comSYSVOLdomain.comPoliciesPolicyDefinitionsen-US"

Configuring LAPS via Group Policy

Create a GPO for LAPS configuration and link it to the OUs containing managed computers. The LAPS settings appear under Computer Configuration > Administrative Templates > LAPS:

# LAPS GPO settings to configure:
#
# "Enable local admin password management" = Enabled
# Without this setting, LAPS does nothing even if installed
#
# "Password Settings":
#   Complexity: Large letters + small letters + numbers + specials (all 4)
#   Length: 20 characters (minimum 15 recommended)
#   Age: 30 days maximum password age
#
# "Name of administrator account to manage":
#   Leave blank to manage the account with RID 500 (recommended)
#   OR specify a custom local admin account name
#
# "Do not allow password expiration time longer than required by policy": Enabled

Deploying the LAPS Client Agent

Deploy the LAPS MSI to all managed computers. The CSE (Client Side Extension) component is all that is needed on managed machines:

# Deploy via GPO Software Installation
# GPO: Computer Configuration > Policies > Software Settings > Software Installation
# Add package: \FileServerLAPSLAPS.x64.msi
# Select "Assigned" deployment method

# OR deploy silently via PowerShell to a list of computers
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Servers,DC=domain,DC=com" |
    Select-Object -ExpandProperty Name

$Computers | ForEach-Object {
    Invoke-Command -ComputerName $_ -ScriptBlock {
        # Run LAPS installer silently (assumes MSI is accessible from target)
        Start-Process msiexec.exe -ArgumentList '/i "\FileServerLAPSLAPS.x64.msi" /quiet /norestart ADDLOCAL=CSE' -Wait
    }
}

Retrieving LAPS Passwords

Authorized personnel can retrieve the current local admin password for a specific computer:

# Retrieve the LAPS password for a specific computer (requires read permission)
Get-AdmPwdPassword -ComputerName "Server01"

# Output includes:
# ComputerName    : Server01
# DistinguishedName : CN=Server01,OU=Servers,DC=domain,DC=com
# Password        : Kx9#mP2@qR5!nY7
# ExpirationTimestamp : 6/16/2026 3:00:00 AM

# Get passwords for all servers in an OU
Get-ADComputer -Filter * -SearchBase "OU=Servers,DC=domain,DC=com" |
    ForEach-Object { Get-AdmPwdPassword -ComputerName $_.Name } |
    Select-Object ComputerName, Password, ExpirationTimestamp | Format-Table

Force an immediate password reset for a specific computer:

# Schedule immediate password reset at next Group Policy refresh
Reset-AdmPwdPassword -ComputerName "Server01"

# Force GPO update on the target to trigger immediate reset
Invoke-Command -ComputerName Server01 -ScriptBlock { gpupdate /force }

Auditing LAPS Password Access

Enable auditing on the ms-Mcs-AdmPwd attribute to log all password read operations:

# Enable auditing for LAPS password reads via AD DS auditing
# Ensure the "Directory Service Access" advanced audit policy is configured:
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

# View audit events (Event 4662: An operation was performed on an object)
# Filter for accesses to ms-Mcs-AdmPwd
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4662} -MaxEvents 100 |
    Where-Object {$_.Message -like "*ms-Mcs-AdmPwd*"} |
    Select-Object TimeCreated, Message | Format-List

Verification

Verify LAPS is working correctly on managed computers:

# Verify LAPS is installed on a remote computer
Invoke-Command -ComputerName Server01 -ScriptBlock {
    Get-WmiObject -Namespace rootcimv2 -Query "SELECT * FROM Win32_Product WHERE Name LIKE 'Local Administrator Password Solution'"
}

# Check if the AD attribute is populated (password is managed by LAPS)
Get-ADComputer -Identity "Server01" -Properties "ms-Mcs-AdmPwd","ms-Mcs-AdmPwdExpirationTime" |
    Select-Object Name, "ms-Mcs-AdmPwd", "ms-Mcs-AdmPwdExpirationTime"

# Verify password age policy is applied
Get-AdmPwdPassword -ComputerName Server01 | 
    Select-Object ComputerName, ExpirationTimestamp

Summary

LAPS eliminates the lateral movement risk from shared local administrator passwords across the Windows Server 2012 R2 environment. The deployment process involves: extending the AD schema once, granting computers self-write permission on their LAPS attributes, restricting read access to authorized groups only, deploying the LAPS client via GPO or scripted installation, and configuring a GPO with appropriate password complexity and age settings. LAPS passwords are automatically rotated on the configured schedule and are stored encrypted in Active Directory, accessible only to authorized personnel, with full audit logging of all password read operations.