Posted on August 14, 2015 · Posted in Active Directory

Manage Local Administrator Passwords with LAPS

The issue of managing built-in accounts on the domain computers is one of the most important security aspects requiring attention of a system administrator. Indeed, you shouldn’t allow using the same local administrator passwords on all computers. There are a lot of approaches to the management of local administrator accounts in a domain, from disabling them completely (not too convenient) to managing using GPO logon scripts, or creating your own systems of built-in account and password management.

Earlier, one of the popular means to change local administrator passwords on a PC was using the Group Policy Preferences (GPP). However, later a serious vulnerability was found in this system, which allows any user to decipher a password. (We have told about it in the article  Why You Shouldn’t Set Passwords Using Group Policy Preferences) In May, 2014, Microsoft released a security update (MS14-025 – KB 2962486), which completely disabled the feature of setting local user password using GPP.

Today we’ll consider one of the techniques of managing local administrator passwords in a domain in more detail. This refers to AdmPwd (the new name is LAPSLocal admin password management solution).

Local Administrator Password Solution (LAPS) 

Important. Earlier this tool was a third party one and was called AdmPwd. But in May 2015, Microsoft announced an official AdmPwd version, thus transferring it from a third party script to officially supported solution. Now AdmPwd is officially named LAPS (Local Administrator Password Solution).

LAPS allows to centrally control and manage administrator passwords on all domain computers and store the password data directly in Active Directory objects (Computer).

LAPS function is based on Group Policy Client Side Extension (CSE) and generates and sets unique local administrator password (SID — 500) on each computer in a domain. A password is automatically changed in a certain period of time (by default, every 30 days). The value of the current password is stored in the confidential attribute of the computer accounts in Active Directory, and the rights to view the attribute contents are regulated by AD security groups.

You can download LAPS and its documentation here:

LAPS distribution is available in two versions of installation MSI files: for 32-bit (LAPS.x86.msi) and 64-bit (LAPS.x64.msi) systems.

Management instrumentation is installed on the administrator machine, and the client part is installed on servers and PCs on which we plan to manage a local administrator password.

Tip. Before deploying a complete LAPS solution, we recommend to test it in a test environment, simulating a productive environment, since at least you’ll need to extend the AD schema (irreversible). 

LAPS setup

Run the installation of the tool on the administrator machine, having checked all components to be installed. (At least, you need .Net Framework 4.0.) The package consists of two subsystems:

  • AdmPwd GPO Extension is the executable part of LAPS
  • And management components:
    • Fat client UI is a tool to view a password
    • PowerShell module to manage LAPS
    • GPO Editor templates are the administrative templates for the GPO Editor

LAPS  features

LAPS setup is very easy and shouldn’t cause any problems.

Active Directory Preparation

Prior to deploying LAPS infrastructure, you have to extend the Active Directory schema to add two new attributes of Computer objects to it.

The attribute ms-MCS-AdmPwd contains the local administrator password as plain text

The attribute ms-MCS-AdmPwdExpirationTime: keeps the date when the password expires

To extend the schema, open PowerShell and import module:



Then run the extension of Active Directory schema (you’ll need Schema Admin privileges):



As a result, two new attributes are added to the Computer class.

Set the Privileges  for the Attributes

The administrator password is stored in Active Directory attributes as plain text, the access to it is restricted by confidential AD attributes (supported since Windows 2003). ms-MCS-AdmPwd attribute, in which the password is stored, can be read by anybody with «All Extended Rights» privilege. Users and groups having this privilege can read any confidential attributes, including ms-MCS-AdmPwd. Since we don’t want anybody but for the domain administrators to view computer passwords, we have to limit the list of groups with read permissions on these attributes.

Using Find-AdmPwdExtendedRights cmdlet, you can get the list of accounts and groups having these permissions on the OU with the name Desktops:

Find-AdmPwdExtendedRights -Identity Desktops | Format-Table ExtendedRightHolders


As we can see, only Domain Admins group has the read permissions on the confidential attributes.

If you need to deny access to read these attributes for certain groups or users, do the following:

Tip. You will have to restrict read permissions on all OUs, computer passwords in which will be managed by LAPS.

  • Open ADSIEdit and connect to Default naming context.ADSIEdit
  • Unfold the tree, find the necessary OU (in our example, it is Desktops), right-click it and select Properties.OU Desktops Properties
  • Then go to Security tab, and click Advanced. By clicking Add in Select Principal section, specify the name of the group/user, you want to restrict rights for (e.g., domain\Support Team). Object extended rights
  • Uncheck All extended rights and save the changes.

Do the same for all groups, for which you want to forbid viewing the password.

Set Permissions for the Computers

Then you need to give machine accounts the permissions to modify their own attributes (SELF), since the values of ms-MCS-AdmPwd and ms-MCS-AdmPwdExpirationTime are changed under the account of the computer itself. Use another cmdlet Set-AdmPwdComputerSelfPermission.

To give the computers in Desktops OU the permissions to update the extended attributes, run this command:

Set-AdmPwdComputerSelfPermission -OrgUnit Desktops

Set User Permissions

The next step is to give users and groups the permissions to read passwords of the local domain administrator accounts, stored in Active Directory. For example, we want to give the members of AdmPwd group read password permissions:

Set-AdmPwdReadPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd


In addition, you can give a certain group of users the permission to reset computer passwords: (In our example, we give it to the same group — AdmPwd.)

Set-AdmPwdResetPasswordPermission -OrgUnit Desktops -AllowedPrincipals AdmPwd


How to Configure LAPS Group Policy

Then you have to create a new GPO object and assign it to the OU containing the computers, on which we want to manage local administrator passwords.

Create a policy with the name Password_Administrador_Local using the following command:

Register-AdmPwdWithGPO -GpoIdentity: Password_Administrador_Local


Open this policy in the GPO editor and configure it. To do it, go to the following GPO section: Computer Configuration -> Administrative Templates -> LAPS

LAPS GPO settings

As we can see, there are 4 customizable settings. Configure them as shown below:

  • Enable local admin password managementEnabled
  • Password SettingsEnabled – the policy sets the complexity, length and age of the password
    • Complexity: Large letters, small letters, numbers, specials
    • Length: 12 characters
    • Age: 30 days
  • Name of administrator account to manageNot Configured (by default, a user password is changed from SID -500)
  • Do not allow password expiration time longer than required by policyEnabled

LAPS admin password GPO settings

Assign Password_Administrador_Local policy to Desktops OU.

How to Install LAPS to Client Computers

After you configured the GPO, it’s time to install LAPS to client computers. The LAPS client can be distributed in different ways: manually, or using an SCCM task, a logon script, etc. In our example, we’ll install the MSI file using the feature of MSI package installation with group policies (GPSI).

  1. In the network directory, create a shared folder and copy LAPS distributions here.
  2. Create a new policy and in Computer Configuration ->Policies ->Software Settings -> Software Installation create a task to install the package

install LAPS.msi via GPO

You only have to assign a policy to the necessary OU, and after the restart, the LAPS client has to be installed on all computers in the target OU.

Make sure that the record Local admin password management solution appeared in Programs and Features in the Control Panel Local admin password management solution

When changing the administrator password using LAPS, it is registered in the Application log (Event ID:12, Source: AdmPwd).

EventID 12 AdmPwd - password change

The event of saving the password is also registered (Event ID:13, Source: AdmPwd).

Event ID13 AdmPwd - save password  in AD

This is what the new object of Computer type attributes look like.

Local admin password store in Active Directory

Tip. The time of password expiration is stored in the format «Win32 FILETIME»

Using LAPS to View Passwords

LAPS graphic interface (GUI) has to be installed on the administrator computers.


If you start the tool and specify the computer name, you can view the local administrator password and its expiration date.


Password expiration date can be set manually, or leave this field empty, and by clicking Set specify that the password has already expired.

Also, you can get the password using PowerShell:

Get-AdmPwdPassword -ComputerName <computername>


LAPS (AdmPwd) can be recommended as a simple solution for password management system on the domain computers with the feature of fine grained password management on the computers from different OUs. The passwords are stored in Active Directory attributes as plain text, however, the built-in AD tools allow to restrict access to them.

Related Articles