Introduction to LAPS on Windows Server 2022

LAPS — Local Administrator Password Solution — solves one of the most persistent security problems in Windows environments: the use of a single, shared local administrator password across all managed computers. When every workstation and server shares the same local administrator password, a single compromised machine exposes every other machine in the environment to lateral movement. An attacker who retrieves the local admin hash from one computer can immediately authenticate to every other computer that shares the same password.

LAPS automates the management of local administrator passwords by generating unique, random passwords for the local Administrator account on each managed computer, storing those passwords securely in Active Directory (or Azure AD), and rotating them on a configurable schedule. Windows Server 2022 includes Windows LAPS — a built-in, natively integrated version that supersedes the legacy Microsoft LAPS solution requiring a separate MSI installation.

Windows LAPS vs Legacy LAPS

Legacy LAPS (also called Microsoft LAPS, CSE LAPS, or AdmPwd) was released in 2015 as a free download from Microsoft. It consisted of a Group Policy Client-Side Extension (CSE) installed on each managed computer, an AD schema extension, and a PowerShell module for administrators to retrieve passwords. Legacy LAPS stored passwords in a custom AD attribute (ms-Mcs-AdmPwd) in plain text, protected only by AD attribute-level permissions.

Windows LAPS is built into Windows Server 2022 (and Windows 11 22H2 / Windows 10 22H2 with April 2023 cumulative update and later). Key improvements over legacy LAPS:

No separate CSE installation required — functionality is in the OS.
Password can be encrypted in AD using the DPAPI-NG mechanism, meaning only authorized principals can decrypt it (not just anyone with read access to the AD attribute).
Supports backup to both on-premises Active Directory and Azure AD.
Supports a larger character set and longer passwords.
Supports managed local accounts beyond just the built-in Administrator (SID 500) account.
Built-in post-authentication reset: the password can be automatically rotated after it is used.
Native PowerShell cmdlets in the LAPS module (no separate install needed).

Check if Windows LAPS is available:

Get-Module -ListAvailable LAPS

Extending the Active Directory Schema for Windows LAPS

Before deploying Windows LAPS to domain-joined computers, the AD schema must be extended to add the new LAPS attributes. This operation requires Schema Admins group membership and should be performed once per forest.

On the schema master domain controller (or any DC with schema admin rights), run:

# Import the LAPS module
Import-Module LAPS

# Extend the AD schema (adds msLAPS-Password, msLAPS-PasswordExpirationTime, etc.)
Update-LapsADSchema -Verbose

The Update-LapsADSchema cmdlet adds the following attributes to the AD schema:

msLAPS-Password — Stores the encrypted or plaintext password
msLAPS-PasswordExpirationTime — Stores the next scheduled rotation time
msLAPS-EncryptedPassword — Stores the DPAPI-NG encrypted password blob (when encryption is enabled)
msLAPS-EncryptedPasswordHistory — Stores previous encrypted passwords (optional)
msLAPS-EncryptedDSRMPassword — For DSRM password management on domain controllers

Verify the schema extension was applied:

Get-LapsADSchema

Granting Computers Permission to Update Their Own LAPS Attributes

Each computer account needs write permission on its own LAPS attributes so that the Windows LAPS process running as SYSTEM can update the stored password and expiration time in AD. Use Set-LapsADComputerSelfPermission to grant this permission at the OU level:

# Grant all computers in the Workstations OU permission to update their own LAPS attributes
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=corp,DC=local"

# Do the same for the Servers OU
Set-LapsADComputerSelfPermission -Identity "OU=Servers,DC=corp,DC=local"

# Verify the permissions were applied
Find-LapsADExtendedRights -Identity "OU=Workstations,DC=corp,DC=local"

The permission is inherited by all computer objects in the OU and its child OUs. Run this cmdlet for each OU that contains computers managed by LAPS.

Configuring LAPS Policy via Group Policy

Windows LAPS is configured entirely through Group Policy. The LAPS policy settings are located at:

Computer Configuration > Administrative Templates > System > LAPS

If the LAPS ADMX templates are not visible in the Group Policy Management Editor, copy them from a Windows Server 2022 or Windows 11 machine:

Copy-Item C:WindowsPolicyDefinitionsLAPS.admx \corp.localSYSVOLcorp.localPoliciesPolicyDefinitions
Copy-Item C:WindowsPolicyDefinitionsen-USLAPS.adml \corp.localSYSVOLcorp.localPoliciesPolicyDefinitionsen-US

The key LAPS Group Policy settings:

Configure password backup directory: Set to Active Directory for on-premises or Azure Active Directory for cloud backup. This is the most important setting — without it, LAPS does nothing.
Password settings:
- PasswordComplexity: 4 (Large letters + Small letters + Numbers + Special characters) is the maximum complexity.
- PasswordLength: 15–30 characters. 20 or more is recommended.
- PasswordAgeDays: 30–90 days. Shorter intervals mean passwords are rotated more frequently but also require more AD write operations.
Enable password encryption: Enabled — stores the password encrypted using DPAPI-NG in the msLAPS-EncryptedPassword attribute. Only authorized decryptors can read it.
Configure authorized password decryptors: Specify AD groups or accounts that can decrypt LAPS passwords. If not specified, the default is Domain Admins.
Post-authentication actions: Configure what happens after the LAPS password is retrieved and used — options include resetting the password immediately or after a configurable grace period.
Name of administrator account to manage: By default, Windows LAPS manages the built-in Administrator account (SID 500). You can specify a different local account name here.

Example GPO summary (configured via GUI):

Configure password backup directory: Active Directory
Password Settings:
  PasswordComplexity: 4 (Large + Small + Numbers + Special)
  PasswordLength: 20
  PasswordAgeDays: 30
Enable password encryption: Enabled
Configure authorized password decryptors: corpLAPS-Readers
Post-authentication actions: Reset password (grace period: 8 hours)
Name of administrator account to manage: Administrator

Retrieving LAPS Passwords with Get-LapsADPassword

Authorized administrators retrieve the current local admin password for a computer using the Get-LapsADPassword cmdlet:

# Get the current LAPS password for a computer
Get-LapsADPassword -Identity "PC-001" -AsPlainText

# Output includes:
# ComputerName    : PC-001
# DistinguishedName : CN=PC-001,OU=Workstations,DC=corp,DC=local
# Account         : Administrator
# Password        : Kx@9#mQ7!vZpL2nR
# PasswordUpdateTime : 05/01/2026 09:23:14
# ExpirationTimestamp : 05/31/2026 09:23:14
# Source          : EncryptedPassword
# DecryptionStatus : Success
# AuthorizedDecryptor : CORPLAPS-Readers

Without -AsPlainText, the password is returned as a SecureString object. Use -AsPlainText only when you need to display or paste the password. Avoid logging the plain-text password to files or scripts.

Retrieve password history (if encrypted password history is enabled in policy):

Get-LapsADPassword -Identity "PC-001" -AsPlainText -IncludeHistory

Forcing an Immediate Password Reset

After using a LAPS password to perform administrative work, force an immediate rotation to prevent reuse:

# Schedule an immediate password reset at next Group Policy refresh
Set-LapsADPasswordExpirationTime -Identity "PC-001" -WhenEffective (Get-Date)

# Or force a reset from the managed machine itself (run as SYSTEM or Admin on target)
Invoke-LapsGpUpdate

# Alternatively, use Reset-LapsPassword on the target machine
Invoke-Command -ComputerName PC-001 -ScriptBlock {
    Reset-LapsPassword
}

The Set-LapsADPasswordExpirationTime cmdlet sets the expiration time in AD to the current time, causing the computer to generate and upload a new password the next time LAPS runs (typically at the next Group Policy refresh cycle — every 90 minutes or at next boot).

LAPS Audit Log

Windows LAPS generates events in the Windows Application event log under the source LAPS. Key event IDs:

10018: LAPS successfully backed up a password to Active Directory.
10020: LAPS successfully backed up a password to Azure AD.
10023: LAPS performed post-authentication actions (password reset after use).
10024: LAPS reset the local account password.
10031: LAPS failed to update the password in AD (check replication or permissions).

Query LAPS events on a managed computer:

Get-WinEvent -ProviderName Microsoft-Windows-LAPS | Format-List TimeCreated, Id, Message

On the domain controller side, enable auditing on the msLAPS-Password and msLAPS-EncryptedPassword AD attributes to track who read a LAPS password. AD attribute-level auditing generates Event ID 4662 in the DC’s Security log when an authorized (or unauthorized) account reads the password attribute:

# Enable auditing on the LAPS OU (requires Advanced Audit Policy - DS Access)
# Set-Acl with audit ACE on the OU's msLAPS-Password attribute
# Or configure in ADUC/ADSS Auditing tab:
# Everyone | Read msLAPS-EncryptedPassword | Auditing: Successful

LAPS with Azure AD (Cloud Backup)

Windows LAPS supports backing up local administrator passwords to Azure AD for Azure AD joined and hybrid Azure AD joined devices. To enable cloud backup:

Set the Configure password backup directory policy to Azure Active Directory.
Ensure the device is Azure AD joined or Hybrid Azure AD joined.
The LAPS password is stored in the device object in Azure AD, in the lapsLocalAdminPassword property.

Retrieve a LAPS password from Azure AD using Microsoft Graph PowerShell:

Connect-MgGraph -Scopes "DeviceLocalCredential.Read.All"

# Get all LAPS passwords (requires Global Admin or Cloud Device Administrator)
Get-MgDeviceLocalCredential -DeviceId "" | 
    Select-Object -ExpandProperty Credentials |
    Where-Object { $_.BackupDateTime -ne $null } |
    Select-Object AccountName, BackupDateTime, PasswordBase64

In the Azure Portal, LAPS passwords are accessible via: Azure Active Directory > Devices > [device name] > Local administrator password. Access requires the Cloud Device Administrator or Global Administrator role, or a custom role with the microsoft.directory/devices/localCredentials/standard/read permission.

Migrating from Legacy LAPS to Windows LAPS

Organizations running legacy LAPS (with the AdmPwd CSE) can migrate to Windows LAPS without losing password continuity. The migration process involves:

Extend the schema with Update-LapsADSchema (adds new Windows LAPS attributes; legacy attributes remain untouched).
Update permissions with Set-LapsADComputerSelfPermission for all managed OUs.
Enable Windows LAPS Group Policy and configure the backup directory.
Migrate passwords: When the Windows LAPS GPO is applied on a managed computer that also has the legacy CSE installed, Windows LAPS detects the legacy configuration via the LAPS Windows Legacy – Enable policy setting:
```
Computer Configuration > Administrative Templates > System > LAPS
  Configure LAPS to use legacy Microsoft LAPS policy: Enabled
```
Setting this to Enabled causes Windows LAPS to read the legacy ADM policy settings and operate in legacy compatibility mode, writing to the old ms-Mcs-AdmPwd attribute. This allows a phased rollout.
Remove legacy LAPS CSE: Once Windows LAPS policy is fully deployed and passwords are being managed by the new system, uninstall the legacy CSE via Group Policy software removal or MECM.

Check which LAPS system is currently managing a computer:

# If msLAPS-EncryptedPassword has a value, Windows LAPS is active
Get-ADComputer "PC-001" -Properties "msLAPS-PasswordExpirationTime","ms-Mcs-AdmPwdExpirationTime" | 
    Format-List

Fine-Grained Access — Who Can Read LAPS Passwords

Controlling who can retrieve LAPS passwords is critical. By default, Domain Admins can always read LAPS passwords. To delegate access to specific teams (e.g., help desk for workstation passwords, server team for server passwords), use AD delegation:

# Grant the HelpDesk group permission to read LAPS passwords for the Workstations OU
Set-LapsADReadPasswordPermission `
    -Identity "OU=Workstations,DC=corp,DC=local" `
    -AllowedPrincipals "CORPHelpDesk"

# Grant the ServerAdmins group permission to read LAPS passwords for the Servers OU
Set-LapsADReadPasswordPermission `
    -Identity "OU=Servers,DC=corp,DC=local" `
    -AllowedPrincipals "CORPServerAdmins"

# Verify permissions
Find-LapsADExtendedRights -Identity "OU=Workstations,DC=corp,DC=local"

When password encryption is enabled, the authorized decryptors list in the GPO setting (Configure authorized password decryptors) determines which principals can decrypt the DPAPI-NG protected password. This is a second layer of access control on top of AD attribute read permissions — even if someone has read access to the attribute, they cannot decrypt the password blob unless they are in the authorized decryptors list or are a Domain Admin.

For highly sensitive environments, scope LAPS password access using tiered groups:

LAPS-Readers-Tier0 — can read DC and PKI server passwords (very restricted)
LAPS-Readers-Tier1 — can read member server passwords
LAPS-Readers-Tier2 — can read workstation passwords (help desk)

Apply the appropriate group to each OU using Set-LapsADReadPasswordPermission and configure matching authorized decryptors in each tier’s GPO. This aligns LAPS access with the Tiered Administration Model and ensures that workstation support staff cannot retrieve the passwords of domain controllers.

Summary

Windows LAPS on Windows Server 2022 provides a robust, native solution for managing local administrator passwords without requiring third-party software. By extending the AD schema with Update-LapsADSchema, configuring computer self-write permissions, deploying a LAPS GPO with encryption enabled, and tightly controlling who can read passwords using Set-LapsADReadPasswordPermission, you eliminate one of the most common attack vectors for lateral movement. The built-in encryption, password history, post-authentication reset, and Azure AD backup options in Windows LAPS represent significant security improvements over the legacy solution, and the migration path allows existing LAPS deployments to transition without interruption.

Links

Newsletter

Contact

How to Set Up Windows Server 2022 Container Storage