How to Set Up LAPS Advanced Configuration on Windows Server 2012 R2

How to Set Up LAPS Advanced Configuration on Windows Server 2012 R2

Local Administrator Password Solution (LAPS) is a Microsoft tool that automatically manages unique, randomly generated local Administrator passwords for every computer in Active Directory. Without LAPS, organizations often set the same local Administrator password on all machines, which means that compromising one system gives an attacker lateral movement access to every other machine. LAPS stores each computer’s local admin password as an attribute on the computer object in AD DS, encrypted at rest and accessible only to delegated users or computers. This tutorial covers advanced LAPS deployment including schema extension, fine-grained delegation, password complexity, and auditing.

Prerequisites

• Active Directory domain with Windows Server 2012 R2 or later domain controllers
• Schema Admin rights to extend the AD schema with LAPS attributes
• Domain Admin rights to configure GPOs and delegate permissions
• The LAPS installation package (download from Microsoft: LAPS.x64.msi)
• Windows Server 2012 R2 member servers that will have their local admin passwords managed

Step 1: Install LAPS Management Tools on the Management Workstation

Install the LAPS MSI on your management workstation or member server, selecting all components including the Fat Client UI, PowerShell module, and Group Policy Templates:

# Silent installation with all features
msiexec /i LAPS.x64.msi ADDLOCAL=ALL /quiet /norestart

# Verify installation
Get-Module -ListAvailable -Name AdmPwd.PS

Step 2: Extend the Active Directory Schema

LAPS adds two attributes to the AD computer object class: ms-Mcs-AdmPwd (the encrypted password) and ms-Mcs-AdmPwdExpirationTime (when the password should be rotated). Run the schema extension from a Schema Admin account:

Import-Module AdmPwd.PS

# Extend schema (run as Schema Admin)
Update-AdmPwdADSchema

# Verify the attributes exist
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext `
    -Filter { name -like "ms-Mcs-*" } | Select-Object Name, DistinguishedName

Expected output: two objects named ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.

Step 3: Configure Permissions on Target OUs

Computer accounts need write access to their own ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes so the LAPS client can update the password. Grant this permission to all computers in the target OU:

# Grant computers in the OU permission to write their own password
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Servers,DC=corp,DC=example,DC=com"

# Verify permissions were applied
Find-AdmPwdExtendedRights -Identity "OU=Servers,DC=corp,DC=example,DC=com"

Step 4: Delegate Password Read Access

By default, only Domain Admins can read LAPS passwords. Delegate read access to specific groups—for example, a Helpdesk group that needs local admin access for support tasks:

# Grant Helpdesk group ability to read LAPS passwords for Workstations OU
Set-AdmPwdReadPasswordPermission `
    -OrgUnit "OU=Workstations,DC=corp,DC=example,DC=com" `
    -AllowedPrincipals "CORPHelpdesk-L1","CORPHelpdesk-L2"

# Grant Server Admins ability to read LAPS passwords for Servers OU
Set-AdmPwdReadPasswordPermission `
    -OrgUnit "OU=Servers,DC=corp,DC=example,DC=com" `
    -AllowedPrincipals "CORPServerAdmins"

# Grant password reset (expiration) rights separately
Set-AdmPwdResetPasswordPermission `
    -OrgUnit "OU=Servers,DC=corp,DC=example,DC=com" `
    -AllowedPrincipals "CORPServerAdmins"

Step 5: Harden Password Read Attribute with Extended Rights Audit

LAPS stores passwords in plaintext in AD (protected only by ACL). You must identify who can read the attribute and ensure no unintended principals have access:

# Find all principals with extended rights on the Servers OU
Find-AdmPwdExtendedRights -Identity "OU=Servers,DC=corp,DC=example,DC=com" | Format-Table

# Check for unexpected groups with All Extended Rights (this includes Domain Admins, Enterprise Admins)
# Any unexpected groups should be removed via AD ACL editor (dsacls or ADSI Edit)

Step 6: Install LAPS Client on Managed Computers

The LAPS client (CSE – Client Side Extension) must be installed on all computers whose local admin passwords will be managed. Deploy via SCCM, GPO software deployment, or PowerShell:

# Deploy via GPO Software Installation
# Copy LAPS.x64.msi to a network share: \FILESERVERSoftwareLAPS

# Create GPO for software deployment:
# Computer Configuration → Policies → Software Settings → Software installation
# New → Package → \FILESERVERSoftwareLAPSLAPS.x64.msi
# Deployment type: Assigned

# Or deploy silently via startup script:
msiexec /i \FILESERVERSoftwareLAPSLAPS.x64.msi ADDLOCAL=CSE /quiet /norestart

Step 7: Configure LAPS Group Policy

Install the LAPS Group Policy Administrative Template on your management machine, then configure the policy:

# Copy ADMX templates to central store
Copy-Item "C:Program FilesLAPSTemplatesAdmPwd.admx" `
    "\corp.example.comSYSVOLcorp.example.comPoliciesPolicyDefinitions" -Force

Copy-Item "C:Program FilesLAPSTemplatesAdmPwd.adml" `
    "\corp.example.comSYSVOLcorp.example.comPoliciesPolicyDefinitionsen-US" -Force

Create a GPO named LAPS-Servers and link it to the Servers OU. Navigate to:

Computer Configuration → Administrative Templates → LAPS

Configure these settings:

• Enable local admin password management — Enabled
• Password Settings — Enabled; Complexity: Large letters + small letters + numbers + specials; Length: 20; Age: 30 days
• Name of administrator account to manage — Enter the actual name of the local admin account (especially important if you renamed it)
• Do not allow password expiration time longer than required by policy — Enabled

Step 8: Retrieve and Reset LAPS Passwords

Retrieve the current local admin password for a computer from PowerShell:

# Retrieve password (requires read permission on ms-Mcs-AdmPwd attribute)
Get-AdmPwdPassword -ComputerName "SERVER01"

# Output includes: ComputerName, DistinguishedName, Password, ExpirationTimestamp

# Force immediate password rotation on a computer
Reset-AdmPwdPassword -ComputerName "SERVER01"

# Set a specific expiration time (force rotation in 1 hour)
$expiry = (Get-Date).AddHours(1)
Set-AdmPwdPasswordExpirationTime -ComputerName "SERVER01" -Time $expiry

Use the LAPS UI (AdmPwd.UI.exe) for a graphical interface to retrieve passwords without using PowerShell.

Step 9: Audit LAPS Password Reads

Configure auditing on the ms-Mcs-AdmPwd attribute to detect unauthorized password reads. Run on a domain controller:

# Enable auditing for the LAPS password attribute
# This requires setting a SACL on the OU in ADSI Edit:
# Right-click OU → Properties → Security → Advanced → Auditing
# Add: Everyone / Read ms-Mcs-AdmPwd / This object and descendant objects

# After enabling, monitor Event ID 4662 in the Security log with:
# Object Type containing ms-Mcs-AdmPwd

Get-WinEvent -LogName Security -FilterXPath `
    "*[System[EventID=4662] and EventData[Data[@Name='Properties'] and Data[contains(., 'ms-Mcs-AdmPwd')]]]" `
    -MaxEvents 100 | Select-Object TimeCreated, Message

Summary

LAPS solves one of the most persistent lateral movement risks in Windows environments by ensuring every machine has a unique, rotating local Administrator password stored securely in Active Directory. You have extended the AD schema, configured computer account write permissions, delegated read access to appropriate support groups, deployed the LAPS client via Group Policy, configured a strong password policy, and set up auditing for password reads. With LAPS in place, compromising one machine’s local administrator credentials no longer provides access to the rest of your fleet.