Abdalla Elmorsi

Active Directory / Microsoft / Windows Server

Active Directory: Deploying LAPS with Group Policy and PowerShell Automation

by

Managing local administrator passwords across hundreds of machines is a security risk if handled manually or using the same credentials everywhere. Microsoft LAPS solves this by automatically rotating and storing the local admin password securely in Active Directory or Azure AD.

This guide walks you through setting up and deploying LAPS (Modern Version) using Windows Server 2022/2019 and Windows 11/10 clients in an on-premises Active Directory environment.

Step 1: Download the Latest Microsoft LAPS

  • The new Microsoft LAPS is now built into Windows 11 and Windows Server 2022 (from April 2023 Update).
  • You only need to download the installer if you’re running older OSes like Windows Server 2016 or 2019.

Download Link: Microsoft LAPS on Learn

Step 2: Enable LAPS Feature on the Domain Controller

If you’re using Windows Server 2022 or later:

  • Using GUI settings:
  • Using PowerShell as Administrator command:
Add-WindowsCapability -Online -Name "LAPS.ManagementTools~~~~0.0.1.0"

This installs the modern LAPS management tools.

Step 3: Extend the Active Directory Schema

To store the LAPS password in AD securely, extend the schema. Two attributes must be added to the computer objects:

  • msMcsAdmPwd
  • msMcsAdmPwdExpirationTime

Open PowerShell as a user in Schema Admins group

Import-Module LAPS
Update-LapsADSchema

Step 4: Set Permissions for Computers and Admins

Give client computers permission to update their own passwords:

Set-LapsComputerSelfPermission -Identity "OU=Workstations,DC=yourdomain,DC=com"

Allow domain admins to read and reset passwords:
Set-LapsReadPasswordPermission -Identity "OU=Workstations,DC=yourdomain,DC=com" -Principal "Domain Admins"
Set-LapsResetPasswordPermission -Identity "OU=Workstations,DC=yourdomain,DC=com" -Principal "Domain Admins"

Step 5: Install the LAPS Client on Workstations

For Windows 11/10 (post-April 2023 update):

LAPS is built-in. Just enable it using GPO.

For older OS versions:

  • Deploy LAPS.x64.msi using Group Policy Software Installation
  • Place the MSI file in a shared network folder:
New-Item -Path "C:\LAPS" -ItemType Directory
New-SmbShare -Name "LAPS" -Path "C:\LAPS" -FullAccess "Domain Computers"
23.PNG
  • Create a new GPO:
    • Navigate to Computer Configuration > Policies > Software Settings > Software Installation
    • Use UNC path: \\YourServer\LAPS\LAPS.x64.msi
    • Choose Assigned
    • Link the GPO to your Workstations OU

Step 6: Configure LAPS via Group Policy

  • Create or edit a new GPO (e.g., “LAPS Policy”)
  • Go to:
    Computer Configuration > Administrative Templates > System > LAPS

Create a new GPO:

Provide a name for the GPO

Click on Edit:

Navigate to Computer Configuration > Policies > Software Settings. Right click (Software Installation) and select > New > Package:

Provide the UNC Path of the package:

Select Assigned:

link the GPO to an organizational unit:

Enable the following settings:

  • Enable password management → Enabled
  • Do not allow password expiration time longer than required by policy → Enabled
  • Password Settings → Set expiration, complexity, length, etc.

Step 7: Force GPO Update on Clients

To apply all LAPS configurations immediately:

Invoke-GPUpdate -ComputerName ClientPC01 -Force

Or run this directly on the client machine:

gpupdate /force

Restart the client once to ensure password registration occurs.

Step 8: View Local Admin Passwords

Option 1: Use PowerShell

Get-LapsPassword -ComputerName ClientPC01
or
Import-Module AdmPwd.PS
Get-AdmPwdPassword -ComputerName ComputerName | Format-List

Option 2: Use LAPS UI

  • Open LAPS UI tool from Start Menu
  • Enter the computer name and view the password and expiration

Advanced: Customize LAPS Password Policies

Open the same GPO used in Step 6 and configure:

  • Password complexity
  • Password length
  • Expiration time (in days)

Recommended settings:

  • Length: 15–20 characters
  • Complexity: Enabled
  • Expiration: 30 days

Why LAPS Matters

By using Microsoft LAPS, you:

  • Improve security by eliminating shared local admin passwords
  • Rotate passwords automatically
  • Store credentials securely in AD
  • Grant granular access to admins only

LAPS is free, powerful, and essential for Active Directory environments in 2024 and beyond.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like