How to Set Up LAPS (Local Administrator Password Solution) on Windows Server 2025
Windows LAPS — Local Administrator Password Solution — is a Microsoft-built feature that automatically manages and rotates the password of a designated local administrator account on every domain-joined machine in your environment. Without LAPS, organizations often set a single, shared local administrator password across hundreds or thousands of machines. When that password is discovered by an attacker, it enables trivial lateral movement across the entire fleet. Windows LAPS solves this by generating a cryptographically strong, unique password for each computer, storing it securely in Active Directory (or Azure AD), and rotating it automatically according to a configurable schedule. Windows Server 2025 ships with the latest version of Windows LAPS built directly into the operating system — no agent installation is required — superseding the legacy Microsoft LAPS MSI that predated Windows Server 2019. This guide covers extending the AD schema, configuring LAPS via Group Policy, retrieving and resetting passwords, and setting up auditing.
Prerequisites
- Windows Server 2025 domain controller (at least one DC must run Windows Server 2019 or later to support Windows LAPS schema attributes)
- Active Directory schema admin rights to extend the schema
- Domain Admin rights to configure permissions and Group Policy
- Target computers must run Windows 10 21H2 / Windows Server 2019 or later with the April 2023 or later cumulative update (Windows LAPS is inbox on these platforms)
- PowerShell 5.1 or later with the
LAPSmodule (available after schema update) - Group Policy Management Console installed
Step 1: Understand Windows LAPS vs Legacy Microsoft LAPS
There are two distinct products with similar names:
- Legacy Microsoft LAPS (the original open-source project, LAPS.msi): Required a separate MSI agent installation on each managed computer and stored passwords in the
ms-Mcs-AdmPwdAD attribute in plaintext (protected only by AD ACLs). Schema extension required the legacy LAPS PowerShell module. - Windows LAPS (built-in since Windows Server 2019 ADV190006): Inbox component, no agent required. Stores passwords in the new
msLAPS-Passwordattribute — optionally encrypted using DPAPI-NG with an AD group as the decryption principal. Supports both Active Directory and Azure AD (Entra ID) as backup directories. Supports managed account name customization, password history, and post-authentication reset actions.
This guide exclusively covers the modern Windows LAPS (inbox) solution.
Step 2: Extend the Active Directory Schema for Windows LAPS
The Windows LAPS AD attributes must be added to the schema before any LAPS policy takes effect. This is a one-time, irreversible operation that requires Schema Admin rights.
# Import the LAPS module (available on Windows Server 2025 and patched Win10/11/Server 2019+)
Import-Module LAPS
# Verify the module is available and check the version
Get-Command -Module LAPS | Select-Object Name
Get-Module LAPS | Select-Object Version
# Review what the schema update will add before committing
Update-LapsADSchema -WhatIf
# Extend the AD schema with Windows LAPS attributes
# This adds: msLAPS-Password, msLAPS-PasswordExpirationTime, msLAPS-EncryptedPassword,
# msLAPS-EncryptedPasswordHistory, msLAPS-EncryptedDSRMPassword
Update-LapsADSchema -Verbose
Write-Host "AD schema extended with Windows LAPS attributes."
Step 3: Grant Computers Permission to Update Their Own LAPS Attribute
By default, computer accounts do not have write access to LAPS attributes in Active Directory. The Set-LapsADComputerSelfPermission cmdlet grants each computer account in a specified OU the right to write its own password to the directory.
# Grant self-write permission on a per-OU basis
# All computer accounts in the target OU gain permission to update their LAPS password attribute
$targetOUs = @(
"OU=Workstations,DC=corp,DC=example,DC=com",
"OU=Servers,OU=Managed,DC=corp,DC=example,DC=com",
"OU=Servers,OU=Branch,DC=corp,DC=example,DC=com"
)
foreach ($ou in $targetOUs) {
Set-LapsADComputerSelfPermission -Identity $ou
Write-Host "Self-write permission granted for OU: $ou"
}
# Verify that the permissions were applied correctly
Find-LapsADExtendedRights -Identity "OU=Workstations,DC=corp,DC=example,DC=com"
Step 4: Configure LAPS Policy via Group Policy
Windows LAPS is configured through Group Policy under Computer Configuration → Administrative Templates → System → LAPS. This path is available after the April 2023 cumulative update on supported platforms. Create a dedicated GPO and link it to the OUs containing managed computers.
# Create and link the LAPS GPO
$gpoName = "Windows-LAPS-Policy"
$domain = (Get-ADDomain).DNSRoot
$targetOU = "OU=Workstations,DC=corp,DC=example,DC=com"
New-GPO -Name $gpoName -Domain $domain -Comment "Windows LAPS configuration"
New-GPLink -Name $gpoName -Target $targetOU -LinkEnabled Yes
Write-Host "LAPS GPO created and linked. Configure settings in GPME."
In the Group Policy Management Editor, configure the following LAPS policy settings:
- Configure password backup directory: Set to Active Directory (or Azure Active Directory for hybrid environments).
- Password Settings:
- Password Complexity: Large letters + small letters + numbers + specials (highest complexity)
- Password Length: 20 (minimum; increase to 24–32 for high-security environments)
- Password Age (Days): 30
- Enable password encryption: Enabled. Set the Authorized decryptors to a security group such as
CORPLAPS-Password-Readers. - Enable password expiration protection: Enabled. Prevents the expiration time from being set beyond the maximum.
- Post-authentication actions: Reset the password and log off the managed account after each use — this prevents reuse of retrieved credentials.
- Name of administrator account to manage: Leave blank to manage the built-in Administrator (RID 500), or specify a custom account name.
# After configuring the GPO, force update on managed computers
$computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=corp,DC=example,DC=com" |
Select-Object -ExpandProperty Name
Invoke-Command -ComputerName $computers -ScriptBlock {
gpupdate /force | Out-Null
Write-Host "GPO updated on $env:COMPUTERNAME"
} -ThrottleLimit 20 -ErrorAction SilentlyContinue
Step 5: Retrieve LAPS Passwords from Active Directory
Authorized users (members of the LAPS-Password-Readers group, or Domain Admins by default) can retrieve the current password for any managed computer using the Get-LapsADPassword cmdlet.
# Retrieve the LAPS password for a specific computer
Get-LapsADPassword -Identity "WORKSTATION-42" -AsPlainText
# Retrieve password with metadata (expiration time, account name, when set)
Get-LapsADPassword -Identity "WORKSTATION-42" -AsPlainText | Format-List
# Retrieve passwords for multiple computers
$computers = @("WORKSTATION-42","WORKSTATION-17","SRV-BRANCH-01")
foreach ($pc in $computers) {
$laps = Get-LapsADPassword -Identity $pc -AsPlainText
[PSCustomObject]@{
Computer = $pc
Account = $laps.Account
Password = $laps.Password
ExpirationTime = $laps.ExpirationTimestamp
}
}
# Retrieve encrypted password (if encryption is enabled) — decrypted automatically if you have rights
Get-LapsADPassword -Identity "WORKSTATION-42" -AsPlainText -DecryptionContext Local
Step 6: Reset a LAPS Password on Demand
After using a LAPS password — for example, after logging into a computer for maintenance — you should immediately force a password rotation to invalidate the credential you used.
# Force immediate password reset on a specific computer
# This marks the expiration time as now; the computer will rotate on next policy application
Reset-LapsPassword -Identity "WORKSTATION-42"
# To trigger the rotation immediately, run gpupdate on the target machine
Invoke-Command -ComputerName "WORKSTATION-42" -ScriptBlock {
gpupdate /force
# Alternatively, trigger LAPS rotation directly
Invoke-LapsPolicyProcessing
}
# Verify the new password is in place
Start-Sleep -Seconds 30
Get-LapsADPassword -Identity "WORKSTATION-42" -AsPlainText
Step 7: Configure LAPS Auditing
Audit who reads LAPS passwords so you can detect unauthorized credential access. Windows Server 2025 supports DS Access auditing for LAPS attribute reads.
# Enable auditing of LAPS password reads on the OU
# This configures a SACL on the OU's msLAPS-Password attribute
Set-LapsADAuditing -Identity "OU=Workstations,DC=corp,DC=example,DC=com" `
-AuditedPrincipals "Everyone" `
-AuditType Success
# LAPS password reads generate Event ID 4662 in the Security log on the DC
# Query for recent LAPS password read events
Get-WinEvent -ComputerName "DC01" -LogName Security -FilterXPath `
"*[System[EventID=4662] and EventData[Data[@Name='Properties'] and (Data='msLAPS-Password' or Data='msLAPS-EncryptedPassword')]]" |
Select-Object TimeCreated, Message |
Format-List
# Alternatively, use Get-LapsAADLogs for Azure AD-backed LAPS
# or review the Microsoft-Windows-LAPS/Operational event log on managed computers
Get-WinEvent -LogName "Microsoft-Windows-LAPS/Operational" |
Where-Object { $_.Id -in @(10018, 10019, 10020, 10023) } |
Select-Object TimeCreated, Id, Message |
Format-Table -AutoSize
Conclusion
Windows LAPS on Windows Server 2025 provides an elegant, low-overhead solution to one of the most persistent lateral movement enablers in enterprise environments: shared local administrator passwords. By automatically rotating unique, cryptographically strong passwords for every managed machine and storing them securely in Active Directory with encryption, LAPS eliminates the “one password, all machines” problem without requiring administrators to manually track or rotate credentials. The addition of post-authentication reset actions in modern Windows LAPS ensures that retrieved passwords are invalidated after use, closing the window of opportunity for credential reuse. Combined with auditing, you gain full visibility into who accessed which machine’s password and when — a critical capability for incident response. Deploy Windows LAPS as a baseline security control across all domain-joined endpoints and integrate it with your privileged access management strategy for a comprehensive credential hygiene posture.
